This project is archived and is in readonly mode.

#5175 ✓invalid
Brian Takita

Hash#to_params does not perform escaping resulting in invalid query param strings

Reported by Brian Takita | July 21st, 2010 @ 08:01 PM

The Hash#to_params method does not escape the key and value, which causes the resultant query string to become invalid.

{
  "param-1" => "A string with / characters & that should be ? escaped"
}.to_params # results in param-1=A string with / characters & that should be ? escaped

Comments and changes to this ticket

  • Santiago Pastorino

    Santiago Pastorino July 21st, 2010 @ 11:20 PM

    • Assigned user set to “Santiago Pastorino”
    • Importance changed from “” to “Low”

    { "param 1" => "A string with / characters & that should be ? escaped" }.to_param => "param 1=A+string+with+%2F+characters+%26+that+should+be+%3F+escaped"

    So escapes both the keys and the values.
    In which Rails version are you trying?
    i've tested it on master and 2.3.4

    I'm going to upload a test case for this.

  • Repository
  • Santiago Pastorino

    Santiago Pastorino July 22nd, 2010 @ 01:24 AM

    • State changed from “new” to “invalid”

    I will close the ticket if you find something more let me know and i will reopen.

  • Gaius Centus Novus

    Gaius Centus Novus November 30th, 2010 @ 12:12 AM

    I'm getting this same behavior on Rails 2.3.8 on REE:

    $ ruby --version
    ruby 1.8.7 (2010-04-19 patchlevel 253) [i686-darwin10.4.0], MBARI 0x6770, Ruby Enterprise Edition 2010.02
    
    $script/console
    Loading development environment (Rails 2.3.8)
    DEPRECATION WARNING: require "activerecord" is deprecated and will be removed in Rails 3. Use require "active_record" instead. (called from /Users/jamesrosen/.rvm/gems/ree-1.8.7-2010.02@zendesk/gems/activerecord-2.3.8/lib/activerecord.rb:2)
    ** [NewRelic] Starting the New Relic Agent.
    DEPRECATION WARNING: require "activesupport" is deprecated and will be removed in Rails 3. Use require "active_support" instead. (called from /Users/jamesrosen/.rvm/gems/ree-1.8.7-2010.02@zendesk/gems/activesupport-2.3.8/lib/activesupport.rb:2)
    ** Erubis 2.6.6
    ree-1.8.7-2010.02 > { "param-1" => "A string with / characters & that should be ? escaped" }.to_params
     => "param-1=A string with / characters & that should be ? escaped"
    

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Referenced by

Pages