Link sanitization breaks query strings with the character %

Hello,

I’m trying to create a note with a link inside. The link contains an encoded querystring, so the character % becomes %25 and spaces become %20:

I’m sending in the api the string

<a href="https://www.site.com/?q=test%20%25%20test">This is a link</a>

But when the note is created, the %25 part of the link becomes only % again, so the final link that is clickable in the interface becomes

https://www.site.com/?q=test%20%%20test

which is invalid, because %%20 is not recognized as valid querystring

It may also be an issue with the site we’re trying to use, because there should not be a problem with %%20

https://www.google.com/search?q=abc%20%25%20def works
and
https://www.google.com/search?q=abc%20%%20def also works

Hi @lxlvm

I’ve to create a note for a deal with a link that contains next query param


which is test_%_test (like in your example).

Once I hover over a link in Pipedrive UI, % will be shown as %25

Screenshot 2020-08-10 at 10.03.52

after I click on a link, query params are shown in the same way they were created in note

Screenshot 2020-08-10 at 10.04.00

which is correctly decoded aftewards

Am I missing something or you already resolved it?

Hi mykhailo,

we found a workaround to our specific case, but when I try create a note with the same input, my browser “understands” what it should be, but the link itself is still with %%20

Even If I try to call the api directly with Postman the response does not include the %25

Just to understand it a bit better, let’s cover an example on API level only (without UI)

I created a note (POST /notes) with next payload

{
   "deal_id": 1,
   "content": "<a href=\"http://example.com?q=test%20%25%20test\"></a>"
}

I got created note in response and it included the same content I created it with (nothing was changed).
If I make GET /notes/<created note id> I’m getting the same result.

Did I get right that, if you do the same operation (let say with Postman) the content changes for you and the content you sent during creating does not equal to what you get in following GET request?

If so, could you provide a payload you send (code block like I did above), so I could try it too?

Now I found why we are seeing different results:

when I call the api with a json payload it works as you a re saying, it includes the %25:

but when I call the api passing the parameters as form-data or x-www-form-urlencoded the %25 gets converted to %:


I did not know that I could send parameters as json, because the official docomentation says it should be x-www-form-urlencoded, (https://developers.pipedrive.com/docs/api/v1/pipedrive-api.yaml line 3816), and the pipedrive node sdk that we are using also sends the parameters using content-type application/x-www-form-urlencoded

1 Like

@lxlvm thank you for your explanation. Indeed, OpenAPI file says to use application/x-www-form-urlencoded content type for a POST /notes request body, which is true, but it also supports application/json . We have this statement in docs (Requests)

We recommend using JSON body format when performing API requests. In order to do a proper JSON-formatted request, make sure you provide Content-Type: application/json in HTTP request headers.
For the POST method, regular form-encoded body format is also supported but you may experience quirks related to lack of data types

but I agree, ideally, it should be reflected in OpenAPI file too.

I created a github issue addressing this point