Do not escape special characters on form submit_问答_开发者

Do not escape special characters on form submit

开发者 https://www.devze.com 2023-03-29 06:21 出处：网络

I have a form that submits via GET, and one of the hidden fields submits a list of category IDs, separated by comma (1,2,3).

When the get query gets to the page it is going, commas become escaped with %2C.

I cannot make changes to PHP that parses these values, and they must remain commas.

In summary: ?category=1,2,3 works, and ?category=1%2C2%2C3 doesn't.

How开发者_C百科 do I prevent the comma from being encoded?

Edit to address the comment, simplified, but gives you the gist:

<form method="get" action="something.php">
<input type="hidden" name="category" value="1,2,3">
<input type="submit">
</form>

The problem with "making it stop" is that the encoding is a part of HTTP standards - you "shouldn't want" to make it stop since it is a part of the very basis upon which HTTP is built. RFC2396 describes which characters are allowed and not allowed in a URI:

2.2. Reserved Characters

Many URI include components consisting of or delimited by, certain special characters. These characters are called "reserved", since
their usage within the URI component is limited to their reserved
purpose. If the data for a URI component would conflict with the
reserved purpose, then the conflicting data must be escaped before
forming the URI.
  reserved    = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" |
                "$" | ","

Because of this fact, when using GET to submit a form, the user agent will encode the values according to this specification.

Your solution lies in either

Change the form to use the POST method, change references to $_GET into $_POST in php
Call urldecode (docs) on the data before using it ($_GET['my_value'] = urldecode($_GET['my_value']);)
Use element arrays to submit this as an array to the server

On PHP side, $_GET['myElement'] will be equal to array(1,2,3)

Use Javascript to manually encode the query string? A bit ugly, but it looks like it is the only option.

Create 3 hidden fields with the same name "category" and a different value 1, 2 and 3.

Instead of preventing encoding, consider decoding the string when you receive it. Here is an example (using java):

public class Encoden
{
    public static void main(String[] args)
    {
        String encodedValue;
        String value = "a, b, c";
        String unencodedValue;

        try
        {
            encodedValue = URLEncoder.encode(value, "UTF-8");
        }
        catch (UnsupportedEncodingException exception)
        {
            encodedValue = null;

            System.out.print("encoding exception: ");
            System.out.println(exception.getMessage());
        }

        try
        {
            unencodedValue = URLDecoder.decode(encodedValue, "UTF-8");
        }
        catch (UnsupportedEncodingException exception)
        {
            unencodedValue = null;
            System.out.print("decoding exception: ");
            System.out.println(exception.getMessage());
        }

        System.out.print("Original: ");
        System.out.println(value);
        System.out.print("Encoded: ");
        System.out.println(encodedValue);
        System.out.print("Decoded: ");
        System.out.println(unencodedValue);
    }
}

I just noticed the php tag. While I dont know php, I'm certain that it will have a means to encode and decode HTML string values.

Edit: Based on comments, try rendering the value of the hidden inside a CDATA block. I have no idea if this will work, just throwing it out there. Here is an example:

<input type="hidden" name="blam" value="<![CDATA[1, 2, 3]]>"/>