Escaping parameters in set_form_data POST

Question

This is the oddest thing. When I add the ; in set_form_data, value gets interpreted as value; on the server side. When I remove the ;, the value for 'dontescape' gets interpreted as file%3a%2f%2f%2fpath%2fto. What the heck is happening? I don't want anything escaped unless I explicitly call CGI::escape! Please help :)

postParams = {
  'key1' => 'value',
  'dontescape' => 'file:///path/to'
}

url = URI.parse('https://my.url')

req = Net::HTTP::Post.new(url.path)
req.basic_auth('username', 'password')

req.set_form_data(postParams, ';')

sock = Net::HTTP.new(url.host, 443)
sock.use_ssl = true
sock.ssl_version = 'SSLv3'
sock.start do |http|
response = http.request(req) do
  return response.body
end

I already improved your code, and sorry tabs are not Ruby convention. — Mario Uher, Aug 01 '11 at 20:47
I accepted ream88's edit. You're free to code any way you like it, no doubt - but it's easier for others if they can read the code the way (most) are used to. — emboss, Aug 01 '11 at 21:38

score 0 · Accepted Answer · answered Aug 03 '11 at 16:35

It's not OK that this happens: PHP, Java, Node -- none of them do this.
First, I override:

# Module to override
module Net
    module HTTPHeader   
        def postUrlBuilder(postParams)
            @queryUrl = ''
            if (postParams.nil? or postParams == 0)
                # Null or empty item
            else
                count = 0
                postParams.each_pair do |key,value|
                    if (count == 0)
                        @queryUrl = @queryUrl + key + '=' + value
                        count = count + 1
                    else 
                        @queryUrl = @queryUrl + '&' + key + '=' + value
                    end
                end
            end
            return @queryUrl
        end

        def set_form_data(postParams, sep = '&')
            self.body = postUrlBuilder(postParams)
            self.content_type = 'application/x-www-form-urlencoded'
        end
        alias form_data= set_form_data
   end
end

Then I wrote my own post method:

def monkey_patch_post_request(postParams)
        url = URI.parse(@monkeyPatchUrl)    
        req = Net::HTTP::Post.new(url.path)
        req.basic_auth @companyId, @apiKey
        req.set_form_data(postParams, sep = '&')
        sock = Net::HTTP.new(url.host, 443)
        sock.use_ssl = true
        sock.ssl_version='SSLv3'
        sock.start do |http|
            response = http.request(req)
            return response.body
        end
    end

This should help!

Escaping parameters in set_form_data POST

1 Answers1

Linked