How can I stop the browser from url-encoding form values on GET

Background

It's a bit more subtle than one might think at first sight. For any URL, which is a specific form of the URI standard, certain characters are special. Among the special characters are `:` (scheme separator) and `/` (path or hierarchy separator), here's the full list of reserved symbols from [RFC-2396][1]:

reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" | "$" | ","

It has little to do with security, much more with simply following a standard: these symbols mean something special in any URI, URL or URN. When you need to use them as part of a path or a querystring (the GET request creates a query string for you), you need to escape them. The short version of escaping is: take the UTF-8 bytes as hexadecimal and precede them with a % sign. In the case of the reserved characters, that's always a single-byte character in UTF-8 and thus escaped as two hex digits.

Path to a solution

Back to your problem. You didn't mention what language you were using. But any language that works with the internet has a way of encoding or decoding URLs. Some have helper functions to decode an entire URL, but normally you are better of splitting it into a name/value pairs and then decoding it. This will give you the absolute URL-path you need.

Note: it is best to always decode query values, simply because when people type in a value, they won't know whether that value is reserved, and the browser will encode it for you. Not doing so poses a security risk.

EDIT: When you need to decode within a page, not on the server side, you're going to need JavaScript to do the job. Have a look at this page for en/decoding URLs, or use Google to find many others.

No, you can't. The encoding is required to make a valid URL.

Instead, decode the value in your receiving code (what platform are you on anyways, URL decoding is usually done automatically for you)

If you used XMLHttpRequest you can send text without encoding. You can use JavaScript to do that, but remember to set content-type to text/plain.

content-type: text/plain 

No for security reason you can't do this. You have to collect and decode it at the receiving end.

When you use FORM and GET method and some special chars, you will end up with browser encoding the resulted query. For newer browsers that support changing the URL address without refreshing the page (IE10+), is possible to decode the URL query string and update the address.

I'm using a script like this:

 <script type="text/javascript"> if (history.pushState) { //IE10+ var newurl = window.location.protocol + "//" + window.location.host + window.location.pathname + decodeURIComponent(window.location.search); window.history.pushState({path:newurl},'',newurl); } </script> 

This will transform a http://example.com/page.html?path=foo%2Fbar back to http://example.com/page.html?path=foo/bar

You can decode the url using javascript Function: decodeURIComponent(Url ); Because Browser encodes the Url for special characters . For example : https://www.example.com is encoded to %20https%3A%2F%2Fwww.example.com. Here the special characters are replaced by % and its ASCI value.