Poor Monzo.me URL Escaping

(Daniel Brown) #1


I’ve reported this through support a number of times across a few months, but never heard anything back or seen it be fixed… so thought it might be worth posting here.

I often use Monzo.me to collect payment for various things from friends. More often than not I create them through the request tab on the iOS application and then share them via Facebook Messenger.

The other person will them open them from Facebook messenger and complete the transaction, however – when they move from the Facebook messenger WebKit frame over to the Monzo app some URL escaping appears to go wrong and plus signs (+) appear where spaces should be.

I’ve attached a screenshot as an example.

Would be great to see this fixed (and perhaps a way to go back and remove the + signs? They’re making my feed hard to search through).


(Simon B) #2

Facebook Messenger does weird things to links. It completely breaks Golden Tickets, too. I suspect the cause may be similar.

With Golden Tickets, it appears that query parameters are stripped from the URL when clicked. As far as I’m aware, fixing this isn’t something under our control, sadly :pensive:

Can you check whether the same thing happens if you send the monzo.me link via other methods such as email or iMessage?

(Peter Roberts) #4

It is caused by Facebook mangling but also Monzo ignoring the convention of accepting + as an alternate URL encoding for a space as well as %20

Facebook will turn https://monzo.me/peterroberts/1?d=Test%20test%20test into https://monzo.me/peterroberts/1?d=Test+test+test

URLs cannot contain spaces. URL encoding normally replaces a space with a plus (+) sign or with %20.

Taken from https://www.w3schools.com/tags/ref_urlencode.asp


Incidentally, that’s a good illustration why I don’t like w3schools. It completely overlooks a very important aspect: + is only valid to encode a [space] in the query part of the URL (the part after the ?). For the rest of the URL the only valid encoding for a [space] is %20 (which is also valid for the query part). They should really point this out.


  • example.com/test.html?foo=bar1+bar2: The value of foo is bar1 bar2 ([space] between bar1 and bar2)
  • example.com/test.html?foo=bar1%20bar2: is identical to the above.
  • example.com/test%20file.html: Will request the file test file.html ([space] between test and file)
  • example.com/test+file.html: Will request the file test+file.html (+ between test and file)

(It should be noted, though, that + is perfectly valid for the query part, and Monzo should decode it properly.)

(Peter Roberts) #6

Ah, I never even knew about + until today myself. I didn’t know you could encode a space in other parts of a URL and I immediately only thought about a hostname which I don’t think can contain a space unless you can put it in punycode? Though I guess you also have optional auth parts of the URL and other stuff?


If by host name you mean a domain: No, a domain can’t contain spaces (for your lan internal host names you can do whatever your OS other infrastructure supports, but I doubt you’ll get very far)

Not sure what you mean by that?

(Peter Roberts) #8

An example URL might be https://user:password@my.domain.tld/resource/path?query_param=value. In writing that I realised that the resource path is the bit you were probably thinking of that can’t use + to encode space right?


I see. No, you can’t encode spaces with + there.

Specifically, You can only use + in application/x-www-form-urlencoded content (anything after the ?). Everything before that (including the auth parts) need to use % encoding.


I think I may have been too quick here. What is most likely happening is that Facebook (or someone else along the way) encodes the query string twice: (1) [space] to + (2) + to %2B. Thus monzo is most likely seeing %2B and correctly decodes it to +. I think I have seen that before from Facebook messenger…

Would be interested to know: when you look at your adress bar after sharing through fb messenger does it have + or %2B in the url?

If it’s the former, and monzo stil shows the + in the payment reference then it’s Monzo’s fault, if it’s the latter than it’s someone else’s fault.

(Peter Roberts) #11

I tested it my self before posting - Monzo produces a valid URL containing only %20. There are no actual spaces in the output from Monzo. After visiting the page through messenger.com in a browser I end up at a URL where %20 is now +

So in summary, I don’t think decoding of %2B is involved on Monzo’s end - they just fail to decode +

Edit: And I have a suspicion that its actually only when opening the Monzo.me link through the Monzo app and doing a P2P payment. I can’t verify this though as I cannot pay myself :smiley:


You can pay me to test it out? :joy:

(I only vaguely understand what’s going on here)

(Peter Roberts) #13

If you give me a monzo.me link it should be straightforward to confirm it with one test. As long as you pay me back after :stuck_out_tongue:



And of course I would.

(Peter Roberts) #15

Thanks, I’ve added a ?d=This+should+have+spaces to it here

Opening it in my web browser looks fine


(Peter Roberts) #16

Thanks @BethS for helping me test it out :+1:. It worked as expected so it isn’t what I thought :man_shrugging:

Could be a iOS related maybe? I have Android. Otherwise @nanos you might be onto the right cause but it doesn’t gel with the stuff I’m seeing :confused:


It’s come through like that :+1: I also have android.


This at least confirms that Monzo is in principle able to cope with + correctly, which is good.

The interesting question would be to share this link through messanger:


And see what happens in browser vs in app

When doing so in browser, check the address bar for %20 vs + vs %2B

(Peter Roberts) #19

It turns into https://monzo.me/elizabethtscott?d=This+should+have+spaces in messenger.com in a browser. Same when opening in browser on my android phone. I don’t have iOS to test it on


It does then indeed appear that I was too quick to blame monzo. Apologies!

In summary:

  • for whatever reason fb messanger converts, %20 encoding to +. While pointless, that’s entirely legal.
  • monzo correctly understands both %20 and + as [space]
  • it does then appear that someone else somewhere is converting + to %2B, and this is causing problems. That could be either the fb messanger of monzo ios apps, or some 3rd party, I suppose
  • from experience I also know that fb messanger frequently messes up URLs, so it doesn’t surprise me too much

(Peter Roberts) #21

The op screen capture is from iOS so I don’t think we can say anything except that in an all android environment things look good. There’s a good chunk of the test matrix we haven’t touched yet :wink: