I am sending quite a few values with my AJAX call, like this:

var postData = "aid="+aid+"&lid="+lid+"&token="+token+"&count="+count+"&license="+license;
postData = postData + "&category="+category+"&event_name="+event_name+"&set_menu="+set_menu;
postData = postData + "&set_id="+set_id+"&location="+location+"&delay="+delay;

and then sending the call like this:

$.ajax({
    type : 'GET',
    url : 'ajax/createFolderID.asp',
    dataType : 'html',
    data : postData,
    success : function() { do something },
    plete : function() { do something },
    error : function() { do something }
});

The problem is, one of the querystring values, "event_name", es from user input. If the user enters an ampersand (&) symbol, the postData string breaks and won't send anything after that symbol.

Example case: &event_name=D&G Clothing Launch Party&set_menu=existing...

I understand what is going wrong, but not so sure what the best fix would be. Do I convert those characters to something else, or is there a way of escaping them? Also, are there any other characters that will cause harm to the script, like plus (+) or minus (-) signs, or apostrophes (')?

I am sending quite a few values with my AJAX call, like this:

var postData = "aid="+aid+"&lid="+lid+"&token="+token+"&count="+count+"&license="+license;
postData = postData + "&category="+category+"&event_name="+event_name+"&set_menu="+set_menu;
postData = postData + "&set_id="+set_id+"&location="+location+"&delay="+delay;

and then sending the call like this:

$.ajax({
    type : 'GET',
    url : 'ajax/createFolderID.asp',
    dataType : 'html',
    data : postData,
    success : function() { do something },
    plete : function() { do something },
    error : function() { do something }
});

The problem is, one of the querystring values, "event_name", es from user input. If the user enters an ampersand (&) symbol, the postData string breaks and won't send anything after that symbol.

Example case: &event_name=D&G Clothing Launch Party&set_menu=existing...

I understand what is going wrong, but not so sure what the best fix would be. Do I convert those characters to something else, or is there a way of escaping them? Also, are there any other characters that will cause harm to the script, like plus (+) or minus (-) signs, or apostrophes (')?

• javascript
• ajax
• jquery

Share Improve this question Follow edited Feb 1, 2012 at 20:39 TheCarver asked Feb 1, 2012 at 20:30 TheCarverTheCarver 19.7k2727 gold badges103103 silver badges153153 bronze badges

Add a ment  | 

4 Answers 4

Sorted by: Reset to default 6

Escape each of your values.

var postData = "aid="+escape(aid)+"&lid="+escape(lid) ... ;

If you pass the postData to jQuery as a map, it will encode the ponents for you:

var postData = { aid: aid,
                 lid: lid,
                 ...

If you really need to pass a string, you should use encodeURIComponent to properly encode the user data.

The W3C has some more information on form encoding.

First use a Map.

post = {
    "aid":aid,
    "lid":lid,
    "token":token
    ...
}

Then generate url-encoded string.

a=[];
for(var x in post){
    a.push(encodeURIComponent(x)+"="+encodeURIComponent(post[x]));
}
var postData = a.join("&");

Update 1: If you are using jQuery no need to generate url-encoded string. Just pass the map.

Update 2: escape is not good as it only handles with ASCII. So using encodeURIComponent. ^{When are you supposed to use escape instead of encodeURI / encodeURIComponent?} Thanks @SamuelEdwinWard

Just use :

 postData = encodeURIComponent (postData);

before lauching it.

escape, unescape, encodeURI, encodeURIComponent are various methods you may need using Ajax. However, if you use escape (http://www.google.), you will also escape ://, destroying your URI. That's why you should use encodeURI, or encodeURIComponent. See also When are you supposed to use escape instead of encodeURI / encodeURIComponent?