POST request in javascript

Question

I want to make this below javascript call to change from GET to POST

function redirect() {
    if (window.focus)
        self.focus();
    this.location = "/test/DownloadReport?
     <%=ESAPI.encoder().encodeForJavaScript(request.getQueryString())%>";
}

So, I've done below -

function redirect() {
    if(window.focus)
        self.focus();
    loc = '/test/DownloadReport';   
    var form = document.createElement("form");
    var input = document.createElement("input");
    input.setAttribute("value", "
    <%=ESAPI.encoder().encodeForJavaScript(request.getQueryString())%>");
    form.appendChild(input);

    form.setAttribute("method", "post");
    form.setAttribute("action", loc);

    document.body.appendChild(form);
    form.submit();
}

But issue I'm facing is when this code is getting executed then the servlet is throwing error as the request.getQueryString() is not proper. I'm suspecting the way I'm setting value for request.getQueryString() is incorrect. Could you please advise what needs to be done here?

Answer 1

The way you are doing is improper.

ESAPI Javascript Encoder converts human readable javascript to UTF-8 Escape sequence.

try the following code :

input.setAttribute("value", "<%=request.getQueryString()%>");
input.setAttribute("type","hidden");

Answer 2

Keep in mind that your POST request looks like:

value=foo%3Dbar%26ipsum%3Dlorem

Whereas your GET request looked like:

foo=bar&ipsum=lorem

What you'll likely need to do is add an input for each parameter in the original QueryString. This can get tricky.

So instead of:

<input name="value" value="foo=bar&ipsum=lorem" />

You need:

<input name="foo" value="bar" />
<input name="ipsum" value="lorem" />