Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 640 down vote favorite
170

How do you safely encode a URL using JavaScript such that it can be put into a GET string?

var myUrl = "http://example.com/index.html?param=1&anotherParam=2";
var myOtherUrl = "http://example.com/index.html?url=" + myUrl;

I assume that you need to encode the myUrl variable on that second line?

share|improve this question
1  
Try looking into encodeURI() and decodeURI(). – Zack The Human Dec 2 '08 at 2:39
See JavaScript urlencode function. – Yanni Jun 30 '11 at 16:40
You can use this tool here: phillihp.com/toolz/url-encode-decode – phillihp Sep 18 '12 at 2:13

7 Answers

up vote 781 down vote accepted

Check out the built-in function encodeURIComponent(str) and encodeURI(str).
In your case, this should work:

var myOtherUrl = 
       "http://example.com/index.html?url=" + encodeURIComponent(myUrl);
share|improve this answer
How about adding the explanation @cms gave? escape is also a valid option. – hitautodestruct Oct 28 '12 at 11:36
according to @CMS encodeURI is not really safe for URL encoding. – AnaelFavre Mar 1 at 16:35
1  
@AnaelFavre because it is meant to encode the whole URL, which doesn't allow characters such as :, /, @ etc. These 2 methods are not to be used interchangeable, you must know what you are encoding to use the right method. – Buu Nguyen Mar 6 at 19:32
up vote 465 down vote

You have three options:

  • escape() will not encode: @*/+

  • encodeURI() will not encode: ~!@#$&*()=:/,;?+'

  • encodeURIComponent() will not encode: ~!*()'

But in your case, if you want to pass a URL into a GET parameter of other page, you should use escape or encodeURIComponent, but not encodeURI.

See Stack Overflow question Best practice: escape, or encodeURI / encodeURIComponent for further discussion.

share|improve this answer
22  
The character encoding used with escape is variable. Stick with encodeURI and encodeURIComponent, which use UTF-8. – erickson Dec 2 '08 at 4:55
2  
Be careful. That escape converts non-ASCII characters into its Unicode escape sequences, like %uxxx. – opteronn Mar 5 '10 at 20:10
2  
I am using encodeURIComponent and noticing it will not encode pipe characters | – kevzettler Jan 30 '11 at 5:05
12  
@kevzettler - why should it do that? The pipes aren't of semantic importance in a URI. – nickf Jan 31 '11 at 11:36
up vote 46 down vote

Stick with encodeURIComponent(). The function encodeURI() does not bother to encode many characters that have semantic importance in URLs (e.g. "#", "?", and "&"). escape() does not bother to encode "+" characters, which will be interpreted as encoded spaces on the server (and, as pointed out by others here, does not properly URL-encode non-ASCII characters).

There is a nice explanation of the difference between encodeURI() and encodeURIComponent() elsewhere. If you want to encode something so that it can safely be included as a component of a URI (e.g. as a query string parameter), you want to use encodeURIComponent().

share|improve this answer
up vote 5 down vote

Personally, I find that many APIs want to replace " " with "+" so I use the following:

encodeURIComponent(query).replace('%20','+')

escape is implemented differently in different browsers and encodeURI doesn't encode most of the characters that are functional in a URI (like # and even /). it's made to be used on a full URI/URL without breaking it.

share|improve this answer
7  
Please note, you should only replace %20 with + symbols after the first question mark (which is the 'query' part of the URL). Let's say I want to browse to http://somedomain/this dir has spaces/info.php?a=this has also spaces. It should be converted to: http://somedomain/this%20dir%20has%spaces/info.php?a=this%20has%20also%20spaces‌​ but many implementations allow '%20' in the querystring to be replaced by '+'. Nevertheless, you cannot replace '%20' with '+' in the path-section of the URL, this will result in a Not Found error unless you have a directory with a + instead of a space. – Jochem Kuijpers Jan 20 at 1:08
definitely, good point! – Ryan Taylor Jan 23 at 2:55
up vote 2 down vote

Nothing worked for me. All I was seeing was the HTML of the login page, coming back to the client side with code 200. (302 at first but the same Ajax request loading login page inside another Ajax request, which was supposed to be a redirect rather than loading plain text of the login page).

In the login controller, I added this line:

Response.Headers["land"] = "login";

And in the global Ajax handler, I did this:

$(function () {
    var $document = $(document);
    $document.ajaxSuccess(function (e, response, request) {
        var land = response.getResponseHeader('land');
        var redrUrl = '/login?ReturnUrl=' + encodeURIComponent(window.location);
        if(land) {
            if (land.toString() === 'login') {
                window.location = redrUrl;
            }
        }
    });
});

Now I don't have any issue, and it works like a charm.

share|improve this answer
up vote 2 down vote

If you are using jQuery I would go for $.param method. It does URL encoding of parameter values and uses JSON syntax which is much easier to read compared to concatenating strings.

$.param({a:"1=2", b:"Test 1"}) // gets a=1%3D2&b=Test+1

share|improve this answer
up vote 0 down vote

Similar kind of thing I tried with normal javascript

function fixedEncodeURIComponent(str){
     return encodeURIComponent(str).replace(/[!'()]/g, escape).replace(/\*/g, "%2A");
}
share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.