Percentage 0a (Line Break) Execution Resolution Process


test.phpThe code of the file is as follows:

 <!  -scenario 1->
 <script type="text/javascript">
 //var a = "<?  php echo $_GET['input'];  ?  >";
 <!  -scenario 2->
 <script type="text/javascript">
 //var a = "start_ percentage 0a_end ";

Situation 1:
The value of variable A is controllable and is determined by parameter input.
Therefore, when accessing from the browser: Input=start_ percent 0a_end
Looking at the source code of the webpage, the results are as follows:

//omit ...
 <!  -scenario 1->
 <script type="text/javascript">
 //var a = start_
 <!  -scenario 2->
 <script type="text/javascript">
 //var a = "start_ percentage 0a_end ";
 //omit ...

We can find that in case 1, a line break occurred, while case 2 remains the same.
Why does this happen?

Who can helpdetailedExplain the principle?

Let me say my opinion on this issue:
When a client accesses a web address ( Input=start_ percent 0a_end), because it is a php file, the server will submit the result to an Apache server for analysis and execution, and return the result to the server. The server will return the result to the client (browser) through http response, and the browser will render the page and present it to the user.
User-> browser-> server —>apache
What exactly is a line break?
1. Appears at the stage of Apache parsing execution
2. Or is the browser presenting the final result to the user
If it is in Apache’s parsing execution phase, then<? Phphecho "start _ percent 0a_end"; ? >There should also be a line break, but in fact there is no line break.
If the line break occurs in the rendering stage of the browser, then

<script type="text/javascript"> Var a = "start_ percentage 0a_end "; //Note: There is no comment on this line </script>

There should also be a line break, but in fact there is no line break.

meet@ Ann is firmThe answer to this question is,query stringDue to the needs of address bar display, logging, escape and other aspects, some characters must be translated (such as characters that cannot be displayed, control characters with special meaning, etc.)

So you searched Baidu for one&The link visited when the symbol is actually Wd= percentage 26
Because this character matches theParameter connectorConflict, need escape

This process is a coding process. The most common coding algorithm isURLEncodeAndBase64Encode
As used hereinURLEncode, this is inRFC 3986As defined in

When the server receives this request, it records it in the log as it is, and then turns the parameter into the string of application inside and gives it to the web application for processing.
At this time, a decoding process needs to be carried out, otherwise the obtained data is inconsistent with the expectation.

Following the above example, I want to search for strings&Instead of a stringPercentage 26Therefore, decoding is required to change back&

Explain the example of LZ again, visit in browserhttp:// Input=start_ percent 0a_endAt that time,
In fact, the actual value of input is notStart_ percent 0a_endThis string, just because the address bar cannot display the newline character, escaped the newline character, his actual value isStart_[ line break ]_end, page output, restore him to[line feed]

If you want to specify the actual value of the input parameter asStart_ percent 0a_end, you need toPercentageTo escape once and becomePercentage 25

Try to visithttp:// Input=start_ percent 250a_end