send html text with ajax, problem on '&'?

Question

i use jquery.ajax to save a rich text area .

corr=some.innerHTML(); /* corr='< some text <' */
$.ajax({
    type:"POST", url:"flatplan/save_corr.php",
    data:"corr="+corr+"&IDFS="+IDFILES,
    success: function(msg){

    },
    error:function(x,e){
        ajax_errors(x,e);
    }
});

The problem is that the corr variable can contain '&' chars inside and it send more params giving problems. Is there any way to post with ajax html text?

Answer 1

You can (and should) escape query string components with encodeURIComponent.

data: "corr=" + encodeURIComponent(corr) + "&IDFS=" + encodeURIComponent(IDFILES),

Edit: jQuery can accept an Object in the data field. You should just use

data: ({
  corr: corr,
  IDFS: IDFILES
}),

so that jQuery can automatically encode the query string.

Answer 2

The corr value cannot contain &. If it does, you need to urlencode that value. To do this, use the escape() method.

var corr = escape(some.innerHTML()); //(corr='< some text <')
$.ajax({
    type:"POST", 
    url:"flatplan/save_corr.php",
    data:"corr="+corr+"&IDFS="+IDFILES,
    success: function(msg){
        //success handler
    },
    error:function(x,e){
        ajax_errors(x,e);
    }
});

Answer 3

I would personally escape all html going into before posting it via AJAX that and have the php file unescape the resultant or Sanity Check the input in PHP before processing. I've not been caught with this one but I can see where it might be an issue.