url_for and ampersand escaping?

I have two different servers, with two different test rails apps, both of which claim to be running Rails 2.1.2.

On one of them, url_for in a view environment generates & in between query parameters, instead of just &. On the other, it generates just &.

Huh? I can't figure out why this is one way in one app that claims to be Rails 2.1.2, and another in another.

In neither one does url_for called in a controller context (rather than a helper context) use "&" to separate query parameters, it just uses "&".

It's driving me crazy. Anyone have any idea what might be going on?


Hi, can you post the relevant code or snippet of it?


Oh boy, this was a crazy one. It wasn't url_for that was behaving differently. url_for on both servers seperates query parameters with & (url_for the helper method; url_for the controller method does not. I did not know this. Kinda confusing and unpredictable--and undocumented).

But okay. I was then passing it through REXML in order to 'escape' it for eventual inclusion in some XML:

xml_escaped = REXML::Text.new( generated_url ).to_s

The difference between my two servers was ruby version, not Rails version. REXML is included with stock ruby (I didn't realize that either).

REXML::Text that comes with ruby 1.8.5 will not 'double escape' & to & .

I guess I'd consider that a bug, indeed. It probably should be double escaping something like that, if you pass it in escaped.

REXML::Text that comes with ruby 1.8.6, on the other hand, WILL double escape that text passed in escaped.

Wooh, what a mess.


Jonathan Rochkind wrote:

Why "unpredictable"? HTML requires ampersands to be escaped, as part of URLs or otherwise.

A URL in plain text format, though, should not have ampersands escaped.

It would be confusing if the two `url_for`s worked differently :slight_smile:

I knew that a URL in xHTML required ampersands to be escaped like that, even in an <a href>. I did not know that a URL in standard (non-x)HTML required that. Really? Okay.

<HTML Document Representation;

But it's confusing in part because an ERB template isn't _only_ used for HTML. It can theoretically be used for creating any format, including plain text, right? And someone using an ERB template to create (eg) plain text is going to get tripped up there.

Interesting point -- I haven't tried generating any text/plain from an ERB template.

An ERB template was generating XML. It took the result of a url_for call, and put it through an XML-escaping routine, figuring that anything that was being put in XML should be put through an XML escaping routine.

So we wound up with XML who's source looked like <some_url>/controller/action?foo=foo&amp;amp;bar=bar

Is this correct or not?

I'd say not :slight_smile:

Try eliminating the extra escaping routine and see what happens...