Command values must be http-encoded using %xx escape sequences, such that the value strings do not include the reserved characters ‘=’, ‘&’, and ‘%’.
Otherwise, standard HTTP encoding rules apply. The HTTP specification requires encoding of the unsafe characters, as well as any control characters, such as <return>
and <tab>
. URL encoding of a character consists of a “%” symbol, followed by the two-digit hexadecimal representation (case-insensitive) of the ISO-Latin code point for the character. The unsafe characters and code points are:
Unsafe character | Code points (hex) | Code points (dec) |
---|---|---|
Space |
20 |
32 |
< |
3C |
60 |
> |
3E |
62 |
" |
22 |
34 |
# |
23 |
35 |
% |
25 |
37 |
{ |
7B |
123 |
} |
7D |
125 |
| |
7C |
124 |
\ |
5C |
92 |
^ |
5E |
94 |
~ |
7E |
126 |
[ |
5B |
91 |
] |
5D |
93 |
` |
60 |
96 |
Reserved characters must also be encoded.
Reserved Character | Code Points (Hex) | Code Points (Dec) |
---|---|---|
$ |
24 |
36 |
& |
26 |
38 |
+ |
2B |
43 |
, |
2C |
44 |
/ |
2F |
47 |
: |
3A |
58 |
; |
3B |
59 |
= |
3D |
61 |
? |
3F |
63 |
@ |
40 |
64 |
…&$text=rate&weight=85% 27#&…
If obfuscation is not applied, the above request fragment must be encoded as follows:
…&$text=rate%26weight%3D85%25%2027%23&…
If obfuscation is applied, encoding can be limited to remove ‘=’, ‘&’, and ‘%’ characters:
…&$text=rate%26weight%3D85%25 27#&…
Request Obfuscation, HTTP/1.1 Specification (RFC 2616)