001/*
002 * Copyright (C) 2009 The Guava Authors
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
005 * in compliance with the License. You may obtain a copy of the License at
006 *
007 * http://www.apache.org/licenses/LICENSE-2.0
008 *
009 * Unless required by applicable law or agreed to in writing, software distributed under the License
010 * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
011 * or implied. See the License for the specific language governing permissions and limitations under
012 * the License.
013 */
014
015package com.google.common.net;
016
017import com.google.common.annotations.GwtCompatible;
018import com.google.common.escape.Escaper;
019
020/**
021 * {@code Escaper} instances suitable for strings to be included in particular sections of URLs.
022 *
023 * <p>If the resulting URLs are inserted into an HTML or XML document, they will require additional
024 * escaping with {@link com.google.common.html.HtmlEscapers} or {@link
025 * com.google.common.xml.XmlEscapers}.
026 *
027 * @author David Beaumont
028 * @author Chris Povirk
029 * @since 15.0
030 */
031@GwtCompatible
032@ElementTypesAreNonnullByDefault
033public final class UrlEscapers {
034  private UrlEscapers() {}
035
036  // For each xxxEscaper() method, please add links to external reference pages
037  // that are considered authoritative for the behavior of that escaper.
038
039  static final String URL_FORM_PARAMETER_OTHER_SAFE_CHARS = "-_.*";
040
041  static final String URL_PATH_OTHER_SAFE_CHARS_LACKING_PLUS =
042      "-._~" // Unreserved characters.
043          + "!$'()*,;&=" // The subdelim characters (excluding '+').
044          + "@:"; // The gendelim characters permitted in paths.
045
046  /**
047   * Returns an {@link Escaper} instance that escapes strings so they can be safely included in <a
048   * href="https://goo.gl/MplK6I">URL form parameter names and values</a>. Escaping is performed
049   * with the UTF-8 character encoding. The caller is responsible for <a
050   * href="https://goo.gl/9EfkM1">replacing any unpaired carriage return or line feed characters
051   * with a CR+LF pair</a> on any non-file inputs before escaping them with this escaper.
052   *
053   * <p>When escaping a String, the following rules apply:
054   *
055   * <ul>
056   *   <li>The alphanumeric characters "a" through "z", "A" through "Z" and "0" through "9" remain
057   *       the same.
058   *   <li>The special characters ".", "-", "*", and "_" remain the same.
059   *   <li>The space character " " is converted into a plus sign "+".
060   *   <li>All other characters are converted into one or more bytes using UTF-8 encoding and each
061   *       byte is then represented by the 3-character string "%XY", where "XY" is the two-digit,
062   *       uppercase, hexadecimal representation of the byte value.
063   * </ul>
064   *
065   * <p>This escaper is suitable for escaping parameter names and values even when <a
066   * href="https://goo.gl/utn6M">using the non-standard semicolon</a>, rather than the ampersand, as
067   * a parameter delimiter. Nevertheless, we recommend using the ampersand unless you must
068   * interoperate with systems that require semicolons.
069   *
070   * <p><b>Note:</b> Unlike other escapers, URL escapers produce <a
071   * href="https://url.spec.whatwg.org/#percent-encode">uppercase</a> hexadecimal sequences.
072   *
073   */
074  public static Escaper urlFormParameterEscaper() {
075    return URL_FORM_PARAMETER_ESCAPER;
076  }
077
078  private static final Escaper URL_FORM_PARAMETER_ESCAPER =
079      new PercentEscaper(URL_FORM_PARAMETER_OTHER_SAFE_CHARS, true);
080
081  /**
082   * Returns an {@link Escaper} instance that escapes strings so they can be safely included in <a
083   * href="https://goo.gl/m2MIf0">URL path segments</a>. The returned escaper escapes all non-ASCII
084   * characters, even though <a href="https://goo.gl/e7E0In">many of these are accepted in modern
085   * URLs</a>. (<a href="https://goo.gl/jfVxXW">If the escaper were to leave these characters
086   * unescaped, they would be escaped by the consumer at parse time, anyway.</a>) Additionally, the
087   * escaper escapes the slash character ("/"). While slashes are acceptable in URL paths, they are
088   * considered by the specification to be separators between "path segments." This implies that, if
089   * you wish for your path to contain slashes, you must escape each segment separately and then
090   * join them.
091   *
092   * <p>When escaping a String, the following rules apply:
093   *
094   * <ul>
095   *   <li>The alphanumeric characters "a" through "z", "A" through "Z" and "0" through "9" remain
096   *       the same.
097   *   <li>The unreserved characters ".", "-", "~", and "_" remain the same.
098   *   <li>The general delimiters "@" and ":" remain the same.
099   *   <li>The subdelimiters "!", "$", "&amp;", "'", "(", ")", "*", "+", ",", ";", and "=" remain
100   *       the same.
101   *   <li>The space character " " is converted into %20.
102   *   <li>All other characters are converted into one or more bytes using UTF-8 encoding and each
103   *       byte is then represented by the 3-character string "%XY", where "XY" is the two-digit,
104   *       uppercase, hexadecimal representation of the byte value.
105   * </ul>
106   *
107   * <p><b>Note:</b> Unlike other escapers, URL escapers produce <a
108   * href="https://url.spec.whatwg.org/#percent-encode">uppercase</a> hexadecimal sequences.
109   */
110  public static Escaper urlPathSegmentEscaper() {
111    return URL_PATH_SEGMENT_ESCAPER;
112  }
113
114  private static final Escaper URL_PATH_SEGMENT_ESCAPER =
115      new PercentEscaper(URL_PATH_OTHER_SAFE_CHARS_LACKING_PLUS + "+", false);
116
117  /**
118   * Returns an {@link Escaper} instance that escapes strings so they can be safely included in a <a
119   * href="https://goo.gl/xXEq4p">URL fragment</a>. The returned escaper escapes all non-ASCII
120   * characters, even though <a href="https://goo.gl/e7E0In">many of these are accepted in modern
121   * URLs</a>.
122   *
123   * <p>When escaping a String, the following rules apply:
124   *
125   * <ul>
126   *   <li>The alphanumeric characters "a" through "z", "A" through "Z" and "0" through "9" remain
127   *       the same.
128   *   <li>The unreserved characters ".", "-", "~", and "_" remain the same.
129   *   <li>The general delimiters "@" and ":" remain the same.
130   *   <li>The subdelimiters "!", "$", "&amp;", "'", "(", ")", "*", "+", ",", ";", and "=" remain
131   *       the same.
132   *   <li>The space character " " is converted into %20.
133   *   <li>Fragments allow unescaped "/" and "?", so they remain the same.
134   *   <li>All other characters are converted into one or more bytes using UTF-8 encoding and each
135   *       byte is then represented by the 3-character string "%XY", where "XY" is the two-digit,
136   *       uppercase, hexadecimal representation of the byte value.
137   * </ul>
138   *
139   * <p><b>Note:</b> Unlike other escapers, URL escapers produce <a
140   * href="https://url.spec.whatwg.org/#percent-encode">uppercase</a> hexadecimal sequences.
141   */
142  public static Escaper urlFragmentEscaper() {
143    return URL_FRAGMENT_ESCAPER;
144  }
145
146  private static final Escaper URL_FRAGMENT_ESCAPER =
147      new PercentEscaper(URL_PATH_OTHER_SAFE_CHARS_LACKING_PLUS + "+/?", false);
148}