The Foxy forums are on the move!

We're in the process of moving our forums over to a new system, and so these forums are now read-only.
If you have a question about your store in the meantime, please don't hesitate to reach out to us via email.

Ampersand in a signed value

unclenortonunclenorton Member
in Bugs & Feature Requests edited December 2013
Hi there!

First, I've been reading through the forum regarding the problem I am facing, and the closest case I've found is this: It doesn't, however, seem to be exactly similar my case, nor it is resolved, so after doing some research on my own, I have decided to post this.

Tl;dr: The value containing an ampersand doesn't validate properly, no matter if and how it is encoded.

First, here is the URL:
All request to the cart are handled via AJAX requests on this website, and the parameter string is formed via CMS template (Symphony CMS, which has XSLT templates that use PHP function to perform the encryption).

I am currently feeding the non-URLencoded string to the hash function, but sending URLencoded string as a parameter value.
Feeding the URLencoded value to the hash function doesn't work for me in any case, whether there is ampersand or not.

The parameter string is then stored in a hidden input; the input's value is read every time the "add to cart" call is made.

Currently, the problematic part of the query string looks like this:

As you can see, this product can't be added to the cart, as foxy returns a
<strong>Cart Validation Error</strong>: name

Trying to figure out why it is happening and what really gets encoded, I went to FoxyCart admin and used the sample code tool to check the possible scenarios. Here's what I put there:
<input type="hidden" name="name" value="Accident & Emergency Assistance" />
<input type="hidden" name="name" value="Accident and Emergency Assistance" />
<input type="hidden" name="name" value="Accident%20%26%20Emergency%20Assistance" />
<input type="hidden" name="name" value="Accident+%26+Emergency+Assistance" />
<input type="hidden" name="code" value="105" />

And here's the output:
<input type="hidden" name="name||2613eecded1a213cda6eda02092572c8954a787b4aab6a91b08b33440bc3c3d4" value="Accident & Emergency Assistance" />
<input type="hidden" name="name||fd8fd9ac2d8e1b2a1baaaf33e45b2327c171eb80dff31aecf35defe48d0f4fed" value="Accident and Emergency Assistance" />
<input type="hidden" name="name||810b5754d27286bdd5fc441f8479f7b52fc7f55b8b9c57e0466ad721a701404f" value="Accident%20%26%20Emergency%20Assistance" />
<input type="hidden" name="name||3e249d3ad4b9e52e6ba5218faf95f7ea8bdc1545ffb8420345a365683d58b82d" value="Accident+%26+Emergency+Assistance" />
<input type="hidden" name="code||7ceaf58289653298ddd8f9b064b1cc5f7aa1eeab28aa837aa573f9095e8f6579" value="105" />

As you can see, the first input has the same signature (2613ee) as I get on the site (code matches as well), which is pretty logical. However, I have also tried manually (using Chrome dev tools) editing the input value on the site with the other options, and the only time it worked is when I set the values from the input that has ampersand replaced with "and". Replacing it with the third one (810b575), still resulted in validation error.

Does anyone have any ideas on how to circumvent this?

  • brettbrett FoxyCart Team
    Hi @unclenorton Dmitry.

    Sorry this isn't documented. Use &, so :
    <input type="text" name="name" value="Accident &amp; Emergency Assistance" />

    I've tested that out and it works on my end. We'll work on making sure that's cleaned up though, to prevent confusion in the future.

    If that doesn't work for you, let me know.
  • Hi, Brett!

    Thanks, this works for me. There's a bit of ambiguity, though:

    Works the same as:

    So foxy cart effectively ignores this extra 'amp;' in the query string.

    Anyway, thanks a lot for your help!
  • brettbrett FoxyCart Team
    I think that'd have to do with how the request is actually making it to the server, but I could be wrong. It's been a long week and I don't have too much brainpower left :)
  • fc_adamfc_adam FoxyCart Team

    I'm doing some work updating the documentation for our HMAC functionality to make it a bit clearer what to do when you have ampersands or other special characters in a value - could you confirm for me if you were manually hashing your links or if you were using the automatic method that hashes the whole page for you?
  • unclenortonunclenorton Member
    edited January 2014

    Sorry for the late reply—I've just returned from my vacation. In my case, I was manually hashing the links using the fc_hash_value helper function from
  • fc_adamfc_adam FoxyCart Team

    Awesome - thanks for letting me know!
Sign In or Register to comment.