Forum Discussion

clemensw's avatar
clemensw
Guide
5 years ago

decode an URL encoded string eg. “%C3%9” --> “ß” ?

Dear Community, how can we decode an URL encoded string eg. “%C3%9” --> “ß” ? When calling a URL with ....t5/tag/abc%C3%9Fxyz/tg-p/board-id/abcx we catch the tag name with: <#assign tagName = pa...
  • AndrewF's avatar
    AndrewF
    5 years ago

    The standard utility for this purpose is webuisupport.path.parameters.name.get($name).

    I looked up that utility method (pageUtils.getUrlPathParameter(...)). It is custom (not part of the Community FreeMarker API) and has not been implemented correctly. It slices up the URL based on some format assumptions and does not decode the parameter value, so there is a risk of encoding-related bugs or even injection vulnerabilities. It also has the potential to return incorrect data for certain page/param combinations.

    There is not a way today to URL-decode in FreeMarker itself, and we have not added any utility methods for that purpose (unlike, say, Base64).

    A note about URL path encoding: the path of a URL is considered application-specific, so it is less standardized than query string encoding — different websites & applications can use different sorts of encoding schemes. Also, overall the path has different rules (e.g., only QS encoding requires escaping '=' or '&', and only path encoding requires escaping '/'). Therefore, it would not be safe to use a query string encode/decode process for our URL paths, and we would discourage reverse engineering the path encoding, as it is not a platform contract point and may change as required for Community improvements.

AndrewF's avatar
AndrewF
Khoros Oracle
5 years ago

The standard utility for this purpose is webuisupport.path.parameters.name.get($name).

I looked up that utility method (pageUtils.getUrlPathParameter(...)). It is custom (not part of the Community FreeMarker API) and has not been implemented correctly. It slices up the URL based on some format assumptions and does not decode the parameter value, so there is a risk of encoding-related bugs or even injection vulnerabilities. It also has the potential to return incorrect data for certain page/param combinations.

There is not a way today to URL-decode in FreeMarker itself, and we have not added any utility methods for that purpose (unlike, say, Base64).

A note about URL path encoding: the path of a URL is considered application-specific, so it is less standardized than query string encoding — different websites & applications can use different sorts of encoding schemes. Also, overall the path has different rules (e.g., only QS encoding requires escaping '=' or '&', and only path encoding requires escaping '/'). Therefore, it would not be safe to use a query string encode/decode process for our URL paths, and we would discourage reverse engineering the path encoding, as it is not a platform contract point and may change as required for Community improvements.