HTML: prevent url-encoding of POST form

html forms encoding url-encoding

16,225

Solution 1

No, you can't do what yo try to do. And you probably shouldn't try. The fact that you want some data inside a variable called DATA means that your POST payload (or your GET query string) will look like

DATA=somevar%3Dsomeval%26somevar2%3Dsomeotherval

If it was (as you want it to be) like

DATA=somevar=someval&somevar2=someotherval

it would mean:

DATA has a value of 'somevar=someval'

somevar2 has a value of 'someotherval'

This is because each variable has the form VARIABLE_NAME=VALUE, and they are separated by '&'.

Check this yourself in your favourite browser debugger (I use firebug and chrome built-in dev tools). So, the question is: why are you trying to do this? Knowing that it would be easier to help you achieve your goals.

EDIT: the example was wrong

Solution 2

I am unsure what your goal is with this post, nor whether preventing URL-encoding of POST form will indeed solve your problems.

But indeed, preventing the URL encoding of the form is 100% possible, simply add the

enctype="text/plain"

attribute to the form.

Below is an example of a request without enctype text/plain and another one with it.

LMint-PC droope # nc -kl 80
POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 168

%7B%22JobTypeIdentifier%22%3A3%2C%22ScheduledStart%22%3Anull%2C%22ScheduleType%22%3A%22Recurring%22%2C%22JobInputP
meters%22%3A%5B%5D%2C%22ignoreParam%22%3A%22=%22%7D^C
LMint-PC droope # ^C
LMint-PC droope # nc -kl 80
POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: text/plain
Content-Length: 116

{"JobTypeIdentifier":3,"ScheduledStart":null,"ScheduleType":"Recurring","JobInputParameters":[],"ignoreParam":"="}

16,225

Author by

Mala

|\/| _ | _ | |(_||(_| _ \/\/|_|\/_\ |_| _ _ _|(_)(_)

Updated on June 21, 2022

Comments

Mala almost 2 years
I have an HTML form which must be posted to a URL. I would like the form to POST one variable named DATA like so:
```
DATA: somevar=someval&somevar2=someotherval
```
I'm having trouble doing this. It seems by default, forms urlencode the data, resulting in:
```
DATA: somevar%3Dsomeval%26somevar2%3Dsomeotherval
```
Changing the form's enc-type to "text/plain" results in:
```
DATA: somevar=someval
SOMEVAR2: someotherval
```
Is there any way I can have a form actually just send the data as above?
Mala about 13 years

I am not having trouble generating the string to be posted. It is the form itself, via the browser, which is doing the url-encoding. This is not a PHP question.
Anton about 13 years

SO u want to display above DATA string on browser ( with & ), right??
Mala about 13 years

No, there's no displaying involved here. I am trying to create a form which sends one variable, "DATA", which contains the un-encoded string as above.
Mala about 13 years

I'm trying to replace a form in a flash applet with a plan HTML form. I've been using the Firefox extension TampterData in order to see what the requests look like. The flash form is literally sending the data as described above, and the server refuses to accept the data in any other form...
worc over 5 years

you can do this, and you should try if you find yourself pen-testing one of your services and need unencoded characters to carry out the exploit.