This project is archived and is in readonly mode.
Hash#to_params does not perform escaping resulting in invalid query param strings
Reported by Brian Takita | July 21st, 2010 @ 08:01 PM
The Hash#to_params method does not escape the key and value, which causes the resultant query string to become invalid.
{
"param-1" => "A string with / characters & that should be ? escaped"
}.to_params # results in param-1=A string with / characters & that should be ? escaped
Comments and changes to this ticket
-
Santiago Pastorino July 21st, 2010 @ 11:20 PM
- Assigned user set to “Santiago Pastorino”
- Importance changed from “” to “Low”
{ "param 1" => "A string with / characters & that should be ? escaped" }.to_param => "param 1=A+string+with+%2F+characters+%26+that+should+be+%3F+escaped"
So escapes both the keys and the values.
In which Rails version are you trying?
i've tested it on master and 2.3.4I'm going to upload a test case for this.
-
Repository July 21st, 2010 @ 11:30 PM
(from [6cbd085f692aae7518ac67380e805ebb65896951]) Test Hash#to_param escapes keys and values
[#5175] http://github.com/rails/rails/commit/6cbd085f692aae7518ac67380e805e...
-
Santiago Pastorino July 22nd, 2010 @ 01:24 AM
- State changed from “new” to “invalid”
I will close the ticket if you find something more let me know and i will reopen.
-
Gaius Centus Novus November 30th, 2010 @ 12:12 AM
I'm getting this same behavior on Rails 2.3.8 on REE:
$ ruby --version ruby 1.8.7 (2010-04-19 patchlevel 253) [i686-darwin10.4.0], MBARI 0x6770, Ruby Enterprise Edition 2010.02 $script/console Loading development environment (Rails 2.3.8) DEPRECATION WARNING: require "activerecord" is deprecated and will be removed in Rails 3. Use require "active_record" instead. (called from /Users/jamesrosen/.rvm/gems/ree-1.8.7-2010.02@zendesk/gems/activerecord-2.3.8/lib/activerecord.rb:2) ** [NewRelic] Starting the New Relic Agent. DEPRECATION WARNING: require "activesupport" is deprecated and will be removed in Rails 3. Use require "active_support" instead. (called from /Users/jamesrosen/.rvm/gems/ree-1.8.7-2010.02@zendesk/gems/activesupport-2.3.8/lib/activesupport.rb:2) ** Erubis 2.6.6 ree-1.8.7-2010.02 > { "param-1" => "A string with / characters & that should be ? escaped" }.to_params => "param-1=A string with / characters & that should be ? escaped"
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
People watching this ticket
Brian Takita
Jeremy Kemper
Santiago Pastorino
Referenced by
-
5175
Hash#to_params does not perform escaping resulting in invalid query param strings
[#5175]
http://github.com/rails/rails/commit/6cbd085f692...