Skip to content Skip to sidebar Skip to footer

Do Not Escape Special Characters On Form Submit

I have a form that submits via GET, and one of the hidden fields submits a list of category IDs, separated by comma (1,2,3). When the get query gets to the page it is going, commas

Solution 1:

The problem with "making it stop" is that the encoding is a part of HTTP standards - you "shouldn't want" to make it stop since it is a part of the very basis upon which HTTP is built. RFC2396 describes which characters are allowed and not allowed in a URI:

2.2. Reserved Characters

Many URI include components consisting of or delimited by, certain special characters. These characters are called "reserved", since their usage within the URI component is limited to their reserved purpose. If the data for a URI component would conflict with the reserved purpose, then the conflicting data must be escaped before forming the URI.

  reserved    = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" |
                "$" | ","

Because of this fact, when using GET to submit a form, the user agent will encode the values according to this specification.

Your solution lies in either

  1. Change the form to use the POST method, change references to $_GET into $_POST in php

  2. Call urldecode (docs) on the data before using it ($_GET['my_value'] = urldecode($_GET['my_value']);)

  3. Use element arrays to submit this as an array to the server

On PHP side, $_GET['myElement'] will be equal to array(1,2,3)

Solution 2:

Use Javascript to manually encode the query string? A bit ugly, but it looks like it is the only option.

Solution 3:

Create 3 hidden fields with the same name "category" and a different value 1, 2 and 3.

Solution 4:

Instead of preventing encoding, consider decoding the string when you receive it. Here is an example (using java):

public class Encoden
{
    public static void main(String[] args)
    {
        String encodedValue;
        String value = "a, b, c";
        String unencodedValue;

        try
        {
            encodedValue = URLEncoder.encode(value, "UTF-8");
        }
        catch (UnsupportedEncodingException exception)
        {
            encodedValue = null;

            System.out.print("encoding exception: ");
            System.out.println(exception.getMessage());
        }

        try
        {
            unencodedValue = URLDecoder.decode(encodedValue, "UTF-8");
        }
        catch (UnsupportedEncodingException exception)
        {
            unencodedValue = null;
            System.out.print("decoding exception: ");
            System.out.println(exception.getMessage());
        }

        System.out.print("Original: ");
        System.out.println(value);
        System.out.print("Encoded: ");
        System.out.println(encodedValue);
        System.out.print("Decoded: ");
        System.out.println(unencodedValue);
    }
}

I just noticed the php tag. While I dont know php, I'm certain that it will have a means to encode and decode HTML string values.

Edit: Based on comments, try rendering the value of the hidden inside a CDATA block. I have no idea if this will work, just throwing it out there. Here is an example:

<input type="hidden" name="blam" value="<![CDATA[1, 2, 3]]>"/>

Post a Comment for "Do Not Escape Special Characters On Form Submit"