Tuesday, January 17, 2012

Passing single quote in URL as query string to a servlet while using HTTPS

Have you ever succeeded in passing single quote as the query string in the URL?
For eg:

Most of the web server configuration doesn't allow single quote for preventing cross site script/SQL injection attacks.

How do I pass single quote If my parameter has one?
You need to escape the single quote as shown below


Does the above solutions work? Not absolutely as & is the parameter separator so only Jan will be considered as the value for param2. Both & and # are special characters and must be encoded to %26 and %23.

The correct encoding for the single quote is shown below