Link to home
Create AccountLog in
Avatar of angelblade27
angelblade27

asked on

Preventing url encoding during form submit

I have a form which has a text box in it. Recently now users started entering & in the textbox ( which is now expected). However the problem comes that the & gets converted to %26 ( i saw this when i intercepted it via tamper data) which causes problems. I need it to submit the correct value ie & and not the url encoding version of it
Avatar of Kuldeepchaturvedi
Kuldeepchaturvedi
Flag of United States of America image

are you using "GET" as your form submit method?

you can convert it to POST and it should take care of it.
Avatar of angelblade27
angelblade27

ASKER

so in the jsp code ( note this is a web based tool which i inherited) there is an opening an form tag and a closing form tag down the page however when the html is rendered the form  tag  is like this
<form action="*.foo" method="post"/>
it contains both the opening and closing tag. However the page still submits the form fine. I'm guess firefox guess which form to submit?. But still i don't get why the rendered html looks different than the jsp code.
There is only one form present on the page
okay so it is posting the form on POST method... then your data will not get encoded unless encoded by using a javascript or a filter or something that is modifying your data before it reaches server...
So the input button for submit doesn't have an event handler on it so is there another way javascript could be triggered?
Attached a snipet of the html.
Note: I deleted alot between the tbody and the tr

            <form method="post" action="*.gts"></form>
            <tbody>
         
                        
            <tr>
	            <td colspan="2" align="center" bgcolor="#efefef"><input value="Run" type="submit"></td>
	        </tr>
            
        </tbody>

Open in new window

Avatar of rrz
>so is there another way javascript could be triggered?  
You could use  something like
<form method="post" action="*.gts"   onsubmit="yourfunction();"></form>  
What do you want the javascript to do ?

well i'm just trying to avoid "&" geting url encoded to %26 during form submit as it is messing up our automation.
@Kuldeepchaturvedi: suggested that if the form submit was post it shouldn't do it. But in the html it looks like the form is already being submitted via POST.
it looks like this code is also contained in an iframe
I down loaded "Tamper Data" . Now I see what you  talking about.  
The default value for a form is  
enctype="application/x-www-form-urlencoded'
The work around is to use
<form method="post" action="*.gts"  enctype="multipart/form-data">  
But that would probably require a rewrite of your server code.
What is  *.gts  ?    Can you rewrite that to accept  multipart ?  


what kind of data this form is accepting?  if there are only text types you can just get away using enctype.. ( i.e. just remove it).. if you use multipart as rrz suggested, you *MAY* have to change the back end code to accept it.
Yeah i prob could rewrite *gts if i need to. I don't really want to.
@Kuldeepchaturvedi:- yes the form consists of simple text inputs and couple radio buttons.
What did you mean by "enctype....".
did you mean have the form as
<form method="post" action="*.gts"  enctype="">  
without any value?
><form method="post" action="*.gts"  enctype="">    
That won't work. As I said  
>The default value for a form is  
enctype="application/x-www-form-urlencoded'
also the link I posted above here.  
You could rewrite *.gts to accept multipart/form-data   but it might be easier to write a servlet to accept the request and use
   userText = request.getParameter("yourtextboxName");  
   request.setAttribute("userText", userText);
then  forward to  *.gts

If you can tell more about *.gts, then maybe we can come up with an easy solution.
i'll need to look at the code when i get into work tom. I'll update this tomorrow then.
so i copied the do get and do post with some of the variable names changed
  public void doGet (HttpServletRequest request,
                       HttpServletResponse response)
            throws IOException, ServletException
    {

        String testMethod = request.getParameter ("testMethod");
        String destinationURL = request.getParameter ("destinationURL");

        if (testMethod.equals ("login"))
        {
            String uid = request.getParameter
                    (testConstants.USER_COOKIE_NAME);
            login (response, uid, destinationURL);
        }
        else if (testMethod.equals ("deleteTS"))
        {
            int id = Integer.parseInt (request.getParameter ("id"));
            deleteTS (response, id, destinationURL);
        }
        else if (testMethod.equals ("deleteTSRun"))
        {
            int id = Integer.parseInt (request.getParameter ("id"));
            deleteTSRun (response, id, destinationURL);
        }
        else if (testMethod.equals ("viewGraphResult"))
        {
            viewGraphResult (request, response);
        }
        else if (testMethod.equals ("viewGroupResult"))
        {
            viewGroupResult (request, response);
        }
        else if (testMethod.equals ("runMultipleTestsuites"))
        {
            runMultipleTestsuites (request, response);
        }
    }

    public void doPost (HttpServletRequest request,
                        HttpServletResponse response)
            throws IOException, ServletException
    {

        String testMethod = request.getParameter ("testMethod");
        String destinationURL = request.getParameter ("destinationURL");

        if (testMethod.equals ("runTestsuite"))
        {
            runTestsuite (request, response);
        }
        else if (testMethod.equals ("runTestcases"))
        {
            runTestcases (request, response);
        }
        else if (testMethod.equals ("runMultipleTestsuites"))
        {
            runMultipleTestsuites (request, response);
        }
        else if (testMethod.equals ("editTS"))
        {
            editTS (request, response, destinationURL);
        }
    }


changing the enctype to multipart/form-data" doesn't work by itself
the server throws an:
java.lang.NullPointerException
      gts.servlet.GTSServlet.doPost(GTSServlet.java:114)
ASKER CERTIFIED SOLUTION
Avatar of rrz
rrz
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
i quite didn't understand what u were meaning. U first said that the request.getParameter() will not work for multipart, which seems to be true, and then u said that request.getParamter() will decode the parameter which is contradictory.

I meant that  request.getParameter method only works for the default encoding  (application/x-www-form-urlencoded)
is there a way to parse the request when the form is submitted with the multipart?
you can use commons-upload api from jakarta ( same guys as tomcat).. this api can read multipart request and parse it quite easily.
Here is  example  code.
https://www.experts-exchange.com/questions/23504709/How-to-upload-a-text-file-on-a-particular-location-on-oracle-server-using-JSP.html 

I still can't understand why you were having a problem.
>Is the problem your having in one of the methods that your passing the request to ?  
 viewGroupResult (request, response);
runMultipleTestsuites (request, response);
What is happening in those ?