I am required to make the call via javascript:
Shudder. Please fix this. It's known as a bad practice since over ten years! And it's exactly what's causing the URI decoding - the javascript:
schema is followed by an percent-encoded value to interpret.
So if you start with the js code
my_function('my"e's.txt');
it would become one of
javascript:my_function%28%27my%26quote%27s.txt%27%29%3B
javascript:my_function(%27my%26quote%27s.txt%27)%3B
javascript:my_function('my%26quote's.txt')%3B
(the apostrophe '
and the parenthesis actually don't need to be encoded).
But 'my_quote's.txt'
is not the valid javascript that you want to start with. What you're actually looking for is 'my_quote's.txt'
or "my_quote's.txt'
. To use these in a javascript:
-scheme URI, it becomes
javascript:my_function('my_quote's.txt')%3B
javascript:my_function("my_quote's.txt")%3B
So if you generate this href
string from a dynamic filename value, you must
- String-escape the filename in the JS string literal
- URL-encode the complete code in the
javascript
url
- html-entity-escape the complete
href
attribute value
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…