Go back to the main page

Escaping an ampersand within an OAuth request

This article is over 2 years old. Proceed with caution.

Regards ♨ – Minimul

 

When working with the Intuit's Quickbooks Online API I couldn't get an ampersand within a search filter to work. Using Ruby's CGI to escape the request to Quickbooks Online here is the original request:

# Example Request to find vendor with an ampersand in the name e.g.:
Name :EQUALS: Dietz & Watson
# CGI.escape yields
CGI.escape 'Name :EQUALS: Dietz & Watson' => "Name+%3AEQUALS%3A+Dietz+%26+Watson"

You can see that the & is converted to %26 that is the standard and correct encoding but was not finding the record.

Solution

The answer is to replace the & with %2526 for example.

"Filter=Name+%3AEQUALS%3A+Dietz+%2526+Watson&PageNum=1&ResultsPerPage=20"

Note: If you are using Ruby's CGI library you can pass this is string "Dietz %26 Watson" into CGI.escape and it will convert it to %2526

Why?

It might have to do with the filter being a part of a OAuth request. The best possible explanation I found was from Taylor Singletary here, which I quote below.

The best way to look at it is that yes, you'll need to encode & to %26 to include it within the status body of a message. In an OAuth signature base string, then already encoded "%26" would need to be "%25%26." The library or environment you are using might have some features to it that is trying to "do the right thing" for you -- but actually isn't. Perhaps when you use a raw "&" it converts it %26 for the POST body but fails to convert it to %2526 for the signature basestring. Perhaps when you send a %26 instead, it converts it to %2526 for your POST body and then %252526 for your signature base string, which would explain the encoding issue in the resultant tweet. Identifying when there's magic behavior going on should help you solve the problem.