1

I have an already encoded URL string printed in my HTML template via Django. When I place this in a call to location.replace() it gets mangled by some JavaScript that mangles the = and % already present in the query string, resulting in the subsequent URL (out of my domain) not knowing what to do with it.

How do I prevent JavaScript from changing it?

EDIT: example url string:

'http://destination.com/?name=https%3A%2F%2Fexample.com%2F&nextparam=nextvalue'

passing above into location.replace() results a redirect to:

http://destination.com/?name%3Dhttps%253A%252F%252Fexample.com%252Fnextparam=nextvalue

which is obviously incorrect.

The URL has as one of it's query string parameters a URL. The safe encoded characters passed from Django are from the set of characters in the string ':/', basically so the 'http://example.com/' gets encoded correctly. Fine. '=%&' are all untouched parts of the query string.

In my encoded string that works outside of js (eg in anchor tag href) this links to the correct url.

But when I put it in window.location when it redirects it escapes all characters in the query string and removes '&' for some reason - even the '%' used to encode the original URL parameter in the qs. Checking source shows the string is identical to the one in the a tag above.

Is there anyway to prevent javascript location attribute escaping stuff prior to the redirect?

Samuel Liew
  • 72,637
  • 105
  • 156
  • 238
user1561108
  • 2,546
  • 6
  • 40
  • 67

2 Answers2

1

You should decode the query string before calling location.replace() with it.

JavaScript doesn't have a built in method for encoding/decoding strings, but there is a library called php.js that can help you. See this link for a function for decoding urls. This library is widely supported.

Samuel
  • 16,275
  • 6
  • 57
  • 73
1

Consider decoding the query string before calling location.replace() with it.

You can do this using the built-in decodeURIComponent function.

user2428118
  • 7,687
  • 4
  • 43
  • 71