Closed ukdave closed 3 years ago
Hey @ukdave. Thanks for reporting this issue with providing a working app to reproduce the issue! ❤️
After looking into this, I think this issue might have been solved with #418.
Can you try to point your StimulusReflex gem and npm package to master and to see if the issue persists? Thank you!
https://docs.stimulusreflex.com/hello-world/setup#running-edge
Thanks @marcoroth. I can confirm that the issue is fixed when I switch the gem and npm package to master 🙂
Apologies, I did check the closed issues but didn't see #418.
@ukdave I very much wish that all folks reporting issues would provide as much information and explanation as you do. Kudos!
Bug Report
Describe the bug
Form serialisation does not escape input field values.
Form input fields containing
&
and%
characters can cause values to be truncated when accessing the params in the reflex, and can also triggerRack::QueryParser::InvalidParameterError - invalid %-encoding
errors.To Reproduce
Create a simple form that submits to a reflex and enter a & or % character in one of the input fields, e.g:
Expected behavior
Form values should be escaped and parameter values received correctly in the reflex.
Screenshots or reproduction
Using the example form above and filling in the form fields like so:
I can see in the WebSocket messages in Firefox Dev Tools that the
formData
attribute is being sent like this:I believe it should be escaped and sent like this:
In fact entering
foo %26 bar
into the message field results in the parameter being received in the reflex asfoo & bar
.I have created a simple Rails app demonstrating the bug here: https://github.com/ukdave/stimulus_reflex_form_serialization/
From a poke around the stimulus_reflex source code I believe the issue is in the
serialiseForm
method ofjavascript/utils.js
where it joins the form field names and values together with an=
and then joins those together with an&
without any escaping.Versions
StimulusReflex
External tools
Browser