Rails params parsing, escaping needed?

Question

I'm currently using Jquery to serialize() a form, which contains a textarea, and POST it to Rails.

This works successfully in most cases, unless the textarea contains a line in quotes, on its own. If such a line exists Rails parses the contents between the quotes of that line as the params variable rather than the entire contents of the field.

For Example: take the task[description] of the following POST Request, sent to rails 2.3.8 via Jquery Post

FireBug: POST Parameters

authenticity_token  r0uu4QQ9e73aEsSKl2LJRIWap1BSQWMKRaieCOwHEpg=
task[description]   line1 
                    "line2" 
                    "line3"
                    line4
task[due_date]  
task[project_id]    1
task[responsible_user_id]   nobody
task[title] Parse Bug

Firebug: POST Source

       authenticity_token=r0uu4QQ9e73aEsSKl2LJRIWap1BSQWMKRaieCOwHEpg%3D&
       task%5Bproject_id%5D=1&task%5Bresponsible_user_id%5D=nobody&
       task%5Bdue_date%5D=&task%5Btitle%5D=Parse+Bug&
       task%5Bdescription%5D=line1%0A%22line2%22%0A%22line3%22%0Aline4

After rails parses the request params[:task][:description] gets the value of "line2" rather than the entire text block. (line1 "line2" "line3" line4)... see below

Rails development log

     Processing TasksController#create (for 127.0.0.1 at 2010-07-26 17:05:06) [POST]
     Parameters: {"action"=>"create", "authenticity_token"=>"r0uu4QQ9e73aEsSKl2LJRIWap1BSQWMKRaieCOwHEpg=", 
     "task"=>{"title"=>"Parse Bug", "project_id"=>"1", "due_date"=>"", 
              "description"=>"line2", "responsible_user_id"=>"nobody"}, "controller"=>"tasks"}

It seems that Rails parses from the POST source anything between two %0A%22 as the content of the variable rather than everything after the =

The quotes are escaped as %22 but should I be escaping them differently?

Much Thanks! If my description is confusing please ask me to clarify any part of it.

Updated

Here's the relative Jquery used:

$('#new-item').find('.submit').live('click', function(){
    var form = $(this).closest('form');
    $.post(form.attr("action"), form.serialize(), null, "script");
    return false;
});

$.ajaxSetup({
   'beforeSend':function(xhr) {xhr.setRequestHeader("Accept", "text/javascript")}
})

Answer 1

I've followed the instructions in Ryan Bates Railscast 136 and created a minimal application using a subset of your model.

This is all working fine for me. Rails 2.3.5 Ruby 1.8.7 OS/X

FIREBUG: Post

Parameters

authenticity_token  7JSQYKGEsteve8Emm5ZrdstOEgvvSJCD6Quxl588g5M=
task[description]   line1 "line2" "line3" line4
task[responsible_user]  steve
task[title] Test 2 quoted

Source

authenticity_token=7JSQYKGEsteve8Emm5ZrdstOEgvvSJCD6Quxl588g5M%3D&task%5B
description%5D=line1%0A%22line2%22%0A%22line3%22%0Aline4&task%5B
responsible_user%5D=steve&task%5Btitle%5D=Test+2+quoted

Rails Development log

Parameters: {
  "authenticity_token"=>"7JSQYKGEhgfIY8Emm5ZrdstOEgvvSJCD6Quxl588g5M=",
  "task"=>{"title"=>"Test 2 quoted",
  "description"=>"line1\n\"line2\"\n\"line3\"\nline4", 
  "responsible_user"=>"steve"}
}

The relevant code from the rails application is as follows :-

application.js

// public/javascripts/application.js
jQuery.ajaxSetup({ 
  'beforeSend': function(xhr) {xhr.setRequestHeader("Accept", "text/javascript")}
})

jQuery.fn.submitWithAjax = function() {
  this.submit(function() {
    $.post(this.action, $(this).serialize(), null, "script");
    return false;
  })
  return this;
};

$(document).ready(function() {
  $("#new_task").submitWithAjax();
})

app/views/tasks/create.js.erb

// views/tasks/create.js.erb
$("#new_task").before('<div id="flash_notice">
  <%=escape_javascript(flash.delete(:notice)) %></div>');
$("#tasks_count").html("<%= pluralize(Task.count, 'Task') %>");
$("#new_task")[0].reset();

app/views/tasks/create.js.erb

<% form_for @task do |f| %>
  <p id="tasks_count">
    <%= pluralize(Task.count, 'Task') %>
  </p>
  <%= f.error_messages %>
  <p>
    <%= f.label :description %><br />
    <%= f.text_area :description %>
  </p>
  <p>
    <%= f.label :responsible_user %><br />
    <%= f.text_field :responsible_user %>
  </p>
  <p>
    <%= f.label :title %><br />
    <%= f.text_field :title %>
  </p>
  <p><%= f.submit "Submit" %></p>
<% end %>

The obvious difference is the format of the paramaters within Firebug. Mine all appear on one line but the encoded source looks fine to me. (I am using Firebug Lite but I wouldn't see that making a difference)