HTML: prevent url-encoding of POST form
Solution 1
No, you can't do what yo try to do. And you probably shouldn't try. The fact that you want some data inside a variable called DATA means that your POST payload (or your GET query string) will look like
DATA=somevar%3Dsomeval%26somevar2%3Dsomeotherval
If it was (as you want it to be) like
DATA=somevar=someval&somevar2=someotherval
it would mean:
DATA has a value of 'somevar=someval'
somevar2 has a value of 'someotherval'
This is because each variable has the form VARIABLE_NAME=VALUE, and they are separated by '&'.
Check this yourself in your favourite browser debugger (I use firebug and chrome built-in dev tools). So, the question is: why are you trying to do this? Knowing that it would be easier to help you achieve your goals.
EDIT: the example was wrong
Solution 2
I am unsure what your goal is with this post, nor whether preventing URL-encoding of POST form will indeed solve your problems.
But indeed, preventing the URL encoding of the form is 100% possible, simply add the
enctype="text/plain"
attribute to the form.
Below is an example of a request without enctype text/plain and another one with it.
LMint-PC droope # nc -kl 80 POST / HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 168 %7B%22JobTypeIdentifier%22%3A3%2C%22ScheduledStart%22%3Anull%2C%22ScheduleType%22%3A%22Recurring%22%2C%22JobInputP meters%22%3A%5B%5D%2C%22ignoreParam%22%3A%22=%22%7D^C LMint-PC droope # ^C LMint-PC droope # nc -kl 80 POST / HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: text/plain Content-Length: 116 {"JobTypeIdentifier":3,"ScheduledStart":null,"ScheduleType":"Recurring","JobInputParameters":[],"ignoreParam":"="}
Comments
-
Mala almost 2 years
I have an HTML form which must be posted to a URL. I would like the form to POST one variable named DATA like so:
DATA: somevar=someval&somevar2=someotherval
I'm having trouble doing this. It seems by default, forms urlencode the data, resulting in:
DATA: somevar%3Dsomeval%26somevar2%3Dsomeotherval
Changing the form's enc-type to "text/plain" results in:
DATA: somevar=someval SOMEVAR2: someotherval
Is there any way I can have a form actually just send the data as above?
-
Mala about 13 yearsI am not having trouble generating the string to be posted. It is the form itself, via the browser, which is doing the url-encoding. This is not a PHP question.
-
Anton about 13 yearsSO u want to display above
DATA
string on browser ( with & ), right?? -
Mala about 13 yearsNo, there's no displaying involved here. I am trying to create a form which sends one variable, "DATA", which contains the un-encoded string as above.
-
Mala about 13 yearsI'm trying to replace a form in a flash applet with a plan HTML form. I've been using the Firefox extension TampterData in order to see what the requests look like. The flash form is literally sending the data as described above, and the server refuses to accept the data in any other form...
-
worc over 5 yearsyou can do this, and you should try if you find yourself pen-testing one of your services and need unencoded characters to carry out the exploit.