I am editing a search form and trying to protect against special characters in the database. In the JSP search form, a (multiselect) dropdown allows users to select descriptions that will be used in the query (note: descriptions is a list of strings):
<select id="descriptionSelect" multiple="multiple">
<c:forEach items="${descriptions}" var="description">
<option value="${fn:escapeXml(description)}")}">
<c:out value="${description}" />
</option>
</c:forEach>
</select>
var descriptionSelectBox = document.getElementById("descriptionSelect");
var descriptionsUrlAddition = "";
for (var i = 0; i < descriptionSelectBox.options.length; i++) {
if (descriptionSelectBox.options[i].selected) {
descriptionsUrlAddition += "&descriptions=" + escape(descriptionSelectBox.options[i].value);
}
}
+
means "space" in URLs. Replace it with %2B
. You could do this just after composing descriptionsUrlAddition
, for example.
descriptionsUrlAddition = descriptionsUrlAddition.replace('+', '%2B');