Go back to the main page

Escaping an ampersand within an OAuth request

This article is over 2 years old. Proceed with caution.

Regards ♨ – Minimul


When working with the Intuit's Quickbooks Online API I couldn't get an ampersand within a search filter to work. Using Ruby's CGI to escape the request to Quickbooks Online here is the original request:

# Example Request to find vendor with an ampersand in the name e.g.:
Name :EQUALS: Dietz & Watson
# CGI.escape yields
CGI.escape 'Name :EQUALS: Dietz & Watson' => "Name+%3AEQUALS%3A+Dietz+%26+Watson"

You can see that the & is converted to %26 that is the standard and correct encoding but was not finding the record.


The answer is to replace the & with %2526 for example.


Note: If you are using Ruby's CGI library you can pass this is string "Dietz %26 Watson" into CGI.escape and it will convert it to %2526


It might have to do with the filter being a part of a OAuth request. The best possible explanation I found was from Taylor Singletary here, which I quote below.

The best way to look at it is that yes, you'll need to encode & to %26 to include it within the status body of a message. In an OAuth signature base string, then already encoded "%26" would need to be "%25%26." The library or environment you are using might have some features to it that is trying to "do the right thing" for you -- but actually isn't. Perhaps when you use a raw "&" it converts it %26 for the POST body but fails to convert it to %2526 for the signature basestring. Perhaps when you send a %26 instead, it converts it to %2526 for your POST body and then %252526 for your signature base string, which would explain the encoding issue in the resultant tweet. Identifying when there's magic behavior going on should help you solve the problem.
Comment on this article?