I am editing a search form and trying to protect against special characters in the database. In the JSP search form, a (multiselect) dropdown allows users to select descriptions that will be used in the query (note: descriptions is a list of strings):
<select id="descriptionSelect" multiple="multiple">
<c:forEach items="${descriptions}" var="description">
<option value="${fn:escapeXml(description)}")}">
<c:out value="${description}" />
</option>
</c:forEach>
</select>
When the form submits, the page dynamically generates the URL which takes query parameters in the URL (ugly, I know, hands are tied). Here's the snipet making the description segment.
var descriptionSelectBox = document.getElementById("descriptionSelect");
var descriptionsUrlAddition = "";
for (var i = 0; i < descriptionSelectBox.options.length; i++) {
if (descriptionSelectBox.options[i].selected) {
descriptionsUrlAddition += "&descriptions=" + escape(descriptionSelectBox.options[i].value);
}
}
I have a test entry in the database whose description is:
AAA `~!@#$%^&*()_+-={}|[]:";'<>?,./ And wow this has a lot of special characters.
With the code above, for some reason when the request gets to the controller, the description loses the + sign (it becomes just a space).
Does anyone know what might be happening and how to fix it? I am not sure if it's something to do with URLs special use of +, or what. I could edit how the descriptions list is populated (maybe escaping there). If you offer this as a suggestion, please use Java specific code (no Apache escape utils classes, etc).
If it helps, using alerts in the JavaScript indicate that the + sign is not being transformed before sending the request.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
