Javascript redirects double-encoding GET query parameter such as arrays [] %255B %255D

If you are passing query parameters such as arrays, Apache may double-encode them so that %5B and %5D becomes %255B and %255D for URLs that are submitted such as:

?a[b]=1&a[c]=2&d[]=3&d[]=4&d[2][e]=5

http://api.jquery.com/jquery.param

If you are making Ajax or API calls from a Javascript library (such as via jQuery or Angular) then it will encode the URI initially, then the web server (such as Apache) will 301 or 302 redirect to the new URI and the Javascript library will encode them again, resulting in double-encoded characters.

If you have redirect rules such as http to https or trailing slash to non-trailing slash then you will need to update the URIs you are making requests to in the Javascript calls.

Haven’t confirmed if Nginx or other web servers are affected by this yet

Add comment