Menu
I am editing a search form and trying to protect against special characters in the database. In the JSP search form, a (multiselect) dropdown allows users to select descriptions that will be used in the query (note: descriptions is a list of strings):
<select id="descriptionSelect" multiple="multiple">
<c:forEach items="${descriptions}" var="description">
<option value="${fn:escapeXml(description)}")}">
<c:out value="${description}" />
</option>
</c:forEach>
</select>
When the form submits, the page dynamically generates the URL which takes query parameters in the URL (ugly, I know, hands are tied). Here's the snipet making the description segment.
var descriptionSelectBox = document.getElementById("descriptionSelect");
var descriptionsUrlAddition = "";
for (var i = 0; i < descriptionSelectBox.options.length; i++) {
if (descriptionSelectBox.options[i].selected) {
descriptionsUrlAddition += "&descriptions=" + escape(descriptionSelectBox.options[i].value);
}
}
I have a test entry in the database whose description is:
AAA `~!@#$%^&*()_+-={}|[]\:";'<>?,./ And wow this has a lot of special characters.
With the code above, for some reason when the request gets to the controller, the description loses the + sign (it becomes just a space).
Does anyone know what might be happening and how to fix it? I am not sure if it's something to do with URLs special use of +, or what. I could edit how the descriptions list is populated (maybe escaping there). If you offer this as a suggestion, please use Java specific code (no Apache escape utils classes, etc).
If it helps, using alerts in the JavaScript indicate that the + sign is not being transformed before sending the request.
881
Now, if you want a literal + to be present in the query string, you need to specify %2B instead. + sign in the query string is URL-decoded to a space. %2B in the query string is URL-decoded to a + sign.
It is a Client-side Error which means that either the page has been removed or moved and the URL was not changed accordingly, or that you typed in the URL incorrectly. Its means server is not able to find the URI you specified.
get() method. Using the params property we can pass parameters to the HTTP get request. Either we can pass HttpParams or an object which contains key value pairs of parameters.
+ means "space" in URLs. Replace it with %2B. You could do this just after composing descriptionsUrlAddition, for example.
descriptionsUrlAddition = descriptionsUrlAddition.replace("+", "%2B");
For javascript you should use encodeURIComponent() or encodeuri(). For Example:
var uri = "fj74cvg+fd1==ee";
var res = encodeURIComponent(uri);
and res would be encoded to "fj74cvg%2Bfd1%3D%3Dee"
For php you can use urlencode(). For Example:
<?php
echo '<a href="mycgi?foo=', urlencode($userinput), '">';
?>
These functions will replace any special characters in the string to be used as part of the url.
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
