Ampersand (&) not escaped in HTTP parameter - revisited

Giganews Newsgroups
Subject: Ampersand (&) not escaped in HTTP parameter - revisited
Posted by:  Kevin Davidson (kev…@qsinc.com)
Date: Tue, 11 May 2004

I thought this was fixed, but apparently my patch was included in the
test build when I thought it wasn't. So here is the problem, which
remains in the 9.0.14 development snapshot I just downloaded:

The ampersand character (&) is used as a delimiter between parameters in
  an HTTP Post. If the parameter itself contains one, it has to be
escaped. The Indy ParamsEncode doesn't do this. For reference, the
decimal value for an ASCII ampersand is 38.

The existing code is:

class function TIdURI.ParamsEncode(const ASrc: string): string;
var
  i: Integer;
const
  UnsafeChars = ['*', '#', '%', '<', '>', ' ','[',']'];  {do not localize}
begin
  Result := '';    {Do not Localize}
  for i := 1 to Length(ASrc) do
  begin
...
    if (ASrc[i] in UnsafeChars) or (not (ord(ASrc[i])in [33..128])) then
    begin {do not localize}
      Result := Result + '%' + IntToHex(Ord(ASrc[i]), 2);  {do not
localize}
    end
    else
    begin
      Result := Result + ASrc[i];
    end;
  end;
end;

The ampersand needs to be added to the list of unsafe characters:

  UnsafeChars = ['*', '#', '%', '<', '>', ' ','[',']', '&'];

Thanks,

Kevin

Replies