26

I'm trying to figure out what the default set of unsafe characters is for URI.escape in ruby 2.2.3. The docs say:

By default uses REGEXP::UNSAFE

But I can't find that constant anywhere in the URI module.

Additionally, this code (snippet below) has the escape / unescape methods marked as 'obsolete' since 2009. Why are they obsolete?

lib/uri/common.rb:97

def escape(*arg)
  warn "#{caller(1)[0]}: warning: URI.escape is obsolete" if $VERBOSE
  DEFAULT_PARSER.escape(*arg)
end

Are the docs just wrong / out of date?

davetakahashi
  • 494
  • 1
  • 4
  • 12
  • 2
    Don't say "this code" and provide a link. Instead, extract ONLY the code pertinent to your discussion and put it into your question. Please read "[ask]" and "[mcve]". Consider it this way: links rot, and when that one does will your question make as much sense for others looking for the same answer? – the Tin Man Dec 14 '15 at 20:26

3 Answers3

11

I see you answered your question re: UNSAFE. As to this question:

Additionally, this code has the escape / unescape methods marked as 'obsolete' since 2009. Why are they obsolete?

There's some background in this Dec. 2010 issue: https://bugs.ruby-lang.org/issues/4167 In that thread Yui Naruse writes:

URI lib says it refers RFC2396, so current behavior is correct in its spec.

Yes, I know current behavior is not what you expect. So we plan to change the lib to refer RFC3986.

Moreover current URI.encode is simple gsub. But I think it should split a URI to components, then escape each components, and finally join them.

So current URI.encode is considered harmful and deprecated. This will be removed or change behavior drastically.

What is the replacement at this time?

As I said above, current URI.encode is wrong on spec level. So we won't provide the exact replacement. The replacement will vary by its use case.

We thought most use case is to generate escaped URI from joined URI componets. For this, people should use URI.join or URI.encode_www_form; you should escape each components before join them.

Jordan Running
  • 102,619
  • 17
  • 182
  • 182
  • 1
    As the quote says `URI.encode_www_form` is safe. It's also easy to use. [Addressable::URI](https://github.com/sporkmonger/addressable) is a very worthy gem that I prefer if I have to do anything with lots of URIs. – the Tin Man Dec 14 '15 at 20:29
5

It turns out the docs are not quite accurate with regard to the default constant. If we look at

https://github.com/ruby/ruby/blame/trunk/lib/uri/rfc2396_parser.rb#L299

it's no longer a constant, but a member of a hash. So the default can really be examined like this:

> URI::DEFAULT_PARSER.regexp[:UNSAFE]
=> /[^\-_.!~*'()a-zA-Z\d;\/?:@&=+$,\[\]]/

EDIT: Appears you can get it with simply:

> URI::UNSAFE
=> /[^\-_.!~*'()a-zA-Z\d;\/?:@&=+$,\[\]]/
davetakahashi
  • 494
  • 1
  • 4
  • 12
  • The actual regex is here: https://github.com/ruby/ruby/blob/832c74f428db6c5bd6e575e1f6ea7fe0891c84d2/lib/uri/rfc2396_parser.rb#L514 – Wand Maker Dec 14 '15 at 20:04
5

There is an alternative, so if you are using the addressable gem, you can use ::escape method of its URI module as well as of the regular URI.

Addressable::URI.escape(value)
Малъ Скрылевъ
  • 16,187
  • 5
  • 56
  • 69