Reputation: 338406
HTTP URL - allowed characters in parameter names
Is there any formal restriction as to which characters are allowed in URL parameter names?
I've been reading RFC3986 ("Uniform Resource Identifier (URI): Generic Syntax") but came to no definitive conclusion.
I know there are practical limitations, but would it actually be forbidden to do something like:
param with\funny<chars>=some_value
as long as I escape it correctly:
param%20with%1cfunny%3cchars%3e=some_value
Upvotes: 26
Views: 28405
Answers (4)
Reputation: 1823
Per RFC 2396, the parameter names and values can contain upper/lower case letters, decimal digits, and -_.!~*'() characters. Everything else needs to be escaped.
Upvotes: 2
Reputation: 11952
You should also read RFC2396. It seems to be more informative than RFC3986.
Upvotes: 8
Reputation: 546153
There are no restrictions on escaped parameter names in the URI specs. There might be restrictions in the server-side software that you use, though. This is especially true if you use “homemade” scripts to interpret URIs.
Upvotes: 13
Reputation: 42165
There are reserved characters for URLs, but as long as you escape (urlencode) then you should be fine.
Depending on the framework used, you may get exceptions if you try to submit suspicious values. ASP.NET has content filtering that will throw exceptions if you try to submit "unsafe" data, like scripts or HTML. That's a feature of the framework though rather than a limitation or rule enforced by the URL syntax.
Upvotes: 2
Related Questions
- Characters allowed in a URL
- What characters can one use in a URL?
- What character set should I assume the encoded characters in a URL to be in?
- HTTP parameter pollution URL encoding bypass
- Should I encode names of parameters in a query string of a URI?
- Special character in URL ignored by browsers
- Is there a spec for nested urlencoded params[]?
- Do colons require encoding in URI query parameters?
- What character encoding are URLs supposed to be in?
- Valid characters for URI schemes?