Wrong usage of JS functions (Appendix: Leveraging Dev Tools - Encoding and Decoding)

[ukusormus]

What's the issue?

In Appendix: Leveraging Dev Tools > Encoding and Decoding:

• Suggesting use of escape() and unescape() JavaScript functions for HTML encoding/decoding, while:

  • these functions do not actually encode/decode HTML in the traditional sense (HTML entities). Actual behavior:

  > escape("<script>")
  '%3Cscript%3E'

  • they're deprecated. Source: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/escape

• Suggesting use of encodeURIComponent() and decodeURIComponent for URL encoding/decoding, while:

  • these functions are meant to encode/decode URL parameter values, not full URLs, e.g.:

    > encodeURIComponent("https://www.example.com/?key=valuew/slash")
    'https%3A%2F%2Fwww.example.com%2F%3Fkey%3Dvaluew%2Fslash'

How do we solve it?

• Remove current form of HTML encoding/decoding. Maybe look for a better JavaScript solution or omit it entirely?
• Rename the usage of URL encode/decode to reflect that they're meant for URL parameter values, and/or add encodeURI() also. See more: When are you supposed to use escape instead of encodeURI / encodeURIComponent? - an answer on Stack Overflow

[kingthorin]

Thanks @ukusormus, feel up for tackling the change(s)?

How do we solve it? Remove current form of HTML encoding/decoding. Maybe look for a better JavaScript solution or omit it entirely?

Let's omit it.

Rename the usage of URL encode/decode to reflect that they're meant for URL parameter values, and/or add encodeURI() also. See more: When are you supposed to use escape instead of encodeURI / encodeURIComponent? - an answer on Stack Overflow

Clarify what it's meant for, and add encodeURI().