Encode URL parameters in JavaScript

Last week I had the fun of trying to fix what appeared to be random InvalidAuthenticityToken exceptions coming from a page using Ajax requests. I eventually tracked the problem down to this snippet of JavaScript (and in my defence I didn't write the code, honest!):

var token = $('new_post').authenticity_token.value;
var post = new Request({url:this.getParent().getParent().getElementsByTagName('form')[0].action}).send('authenticity_token='+token+'&post[content]='+this.value);

Rails generates the authenticity token using the SecureRandom.base64 method provided by ActiveSupport to generate a random string. Unfortunately Base64 strings cannot be used directly in URLs because they contain ‘+’, ‘/’ and ‘=’ characters and it was this that was causing the bug: if the authenticity token contained a ‘+’ then it was being interpreted as an URL encoded space causing the exception to occur. Of course JavaScript provides a nice solution to this problem: the encodeURIComponent method.

You may also have noticed there’s another, potentially nasty, related bug lurking in that seemingly innocent bit of JavaScript: the post[content] parameter isn’t being encoded either. This means that if the user was to enter something like you really should &handle this=properly then the ampersand would be treated as a new parameter rather than part of the content string. Again encodeURIComponent comes to the rescue:

var token = $('new_post').authenticity_token.value;
var post = new Request({url:this.getParent().getParent().getElementsByTagName('form')[0].action}).send('authenticity_token='+encodeURIComponent(token)+'&post[content]='+encodeURIComponent(this.value));

4 comments

Skip to comment form

Comment on Encode URL parameters in JavaScript by Michael Kintzer

July 9th, 2009 @ 09:14 – permalink

Thanks Rob! I was stumped by this as well in conjunction with trying to wire up FCKeditor's ImageUploadURL to a Rails controller action.
Comment on Encode URL parameters in JavaScript by John

September 12th, 2009 @ 00:14 – permalink

hey Rob,

what font (or what IDE) are you using there in your code samples? I'm using Aptana currently and cant get any sort of decent text coloring or font results. any pointers would help
Comment on Encode URL parameters in JavaScript by Rob Anderton

September 13th, 2009 @ 16:28 – permalink

Hi John
The stylesheet for the site is set to use Bitstream Vera Sans Mono which is also what I use in my text editor on Windows. The fallback is Monaco which is what your likely to see if you're using a Mac.
Comment on Encode URL parameters in JavaScript by Tony

January 12th, 2010 @ 21:26 – permalink

I wrote a post on this as well that seems a bit more DRY (see step 3) - http://www.tonyamoyal.com/2009/12/06/getting-jquery-rails-and-authenticity-tokens-to-play-nice/ ...my post is also specific to JQuery

You can use Markdown in your comment as well as plain HTML. You can use <filter:jscode lang="ruby"> and </filter:jscode> tags to surround code blocks (supported languages are css, html, javascript and ruby). Your email address will not be published.

If your comment doesn’t appear immediately after posting it could have been marked as spam. Don’t worry: we regularly check for and approve incorrectly filtered comments so you shouldn’t have to wait too long for it to be shown.

uk ruby on rails, exalead, aws, consultancy

Encode URL parameters in JavaScript

4 comments

Leave a reply

About this entry

Recent entries

Archives

Tags

Flickr snaps