Fixing Nested http Params Are HTML Escaped with Slashes

This may not be super common, but it was hard to debug for me. I had an error when I was posting form parameters using the .post_form method from one rails app to another, where a nested params hash was getting html escaped and ending up with tons of slashes or backslashes appearing in the params hash, like this:

Parameters: {"utf8"=>"✓", "authenticity_token"=>"anLqF1UcQULf35xHJZW5Ya9rjMAgkse7h1R=", "user"=>"{\"name\"=>\"nqne\", \"last_name\"=>\"nwen\", \"email\"=>\"\", \"password\"=>\"foobartest\", \"password_confirmation\"=>\"foobartest\"}"}

Now obviously when I was trying to receive these parameters in my other rails app, it was not reading them correctly. Apparently this happens because the .post_form method turns nested hashes into escaped strings for some reason. This is the code that was giving me this error:

require "net/http"
uri = URI('')
x = Net::HTTP.post_form(uri, params)

As you can see, when I post a nested params hash via .post_form, it escapes them as html strings. The way I solved this was to switch to using the .post method. So replacing the third line above with:

http =
response =, params.to_query)	

Note also that I call the .to_query method on the params hash. See this Stack Overflow question for an example of that. Essentially it converts a hash into a string.  Bingo, this solved it!

Another workaround that worked but is not ideal is to not use the rails form helper to create your form params.  So for example, the form I was submitting was created with standard rails form helpers:

<%= form_for(resource, as: resource_name, url: registration_path(resource_name)) do |f| %>
  <%= devise_error_messages! %>
  <%= f.label :name, "First Name" %> <%= f.text_field :name, autofocus: true %>
  <%= f.label :last_name %> <%= f.text_field :last_name %>
  <%= f.label :email %> <%= f.email_field :email %>
  <%= f.label :password %> <%= f.password_field :password, autocomplete: "off" %>
  <%= f.label :password_confirmation %> <%= f.password_field :password_confirmation, autocomplete: "off" %>
  <%= f.submit "Sign up" %>
<% end %>

And that creates a nested params hash that the .post_form method escapes. But if instead I just use direct html to create the params, as in the email field below:

  Sign up with your email <input name="email" type="email" autofocus="true" />

Then it doesn’t get escaped by the .post_form method. I prefer the first method, as it allows you to keep the rails form helpers in place.

(another related SO question)

Hope this was helpful!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: