tags:

views:

468

answers:

2
+1  Q: 

How may i escape / and other characters in asp.net?

When i visit http://localhost:17357/u/a%2fa/m/ssd-10 and look at HttpContext.Current.Request.Url in Application_BeginRequest i see http://localhost:17357/u/a/a/m/ssd-10 huh? shouldnt i get http://localhost:17357/u/a%2fa/m/ssd-10? i thought the point of escaping urls is so ?, &, / and other special symbols not be confused with their special meaning in urls. Maybe theres a config i need to tweak?

I created 4 usernames, there are

a?@!&ee
a?@!/&ee
as d
クイン

with the links as

<a href="/u/a%3f%40%21%26ee">a?@!&amp;ee</a><br>
<a href="/u/a%3f%40%21%2f%26ee">a?@!/&amp;ee</a><br>
<a href="/u/as%20d">as d</a><br>
<a href="/u/%ef%bd%b8%ef%bd%b2%ef%be%9d">クイン</a>

The last two work, but the first two i get the exceptio

A first chance exception of type 'System.ArgumentException' occurred in mscorlib.dll

Additional information: Illegal characters in path.

then

A first chance exception of type 'System.Web.HttpException' occurred in System.Web.dll

Additional information: '/u/a?@!&ee' is not a valid virtual path.

and my page says Bad Request. How can i allow these usernames to work. If its impossible how can i write a workaround?

+4  A: 

You need to escape it again. Use %252f instead of %2f. To clarify, the URL is unencoded when the server receives it. URL encoding allows you to pass in a / that the server processes as a character instead of the special function that a reserved character would normally trigger. See the Wikipedia page for more info.

Concerning your error with the a?@!&ee username, it seems almost certain that you're running into a problem that ASP.NET has with special characters (even urlencoded properly) that are not in the query string (that is, after the ? part of the URL). Joshua Flanagan talks about it in a blog post, and identifies %, &, *, and : as the problematic characters.

He points to a Dirk.Net blog post that offers a couple of fixes. First, you can edit the registry to allow restricted characters (adding a DWORD key AllowRestrictedChars to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters and setting its boolean value to true). Or, you can ensure that you have the .NET framework 1.1 SP1 and edit the registry to set ASP.NET VErification Compatibility to true (DWORD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET VerificationCompatibility = 1). Third, you can try setting ValidateRequest to false on the ASPX page. Finally, as Joshua decided to do, you can pass the information using the query string, i.e. after the ? as ASP.Net originally (pre MVC) expected.

jball  2010-02-04 02:44:21
good answer. do you know of any other chars i need to escape twice?
acidzombie24  2010-02-04 02:51:09
Percent-encoding the percent (i.e. using `%25` instead of `%`) should cover all the cases. You can chain it as many times as you like, if a URL is going to be passed around a lot, for example `%252525252f` is escaped 5 times (4 `25`s and the original escaped `%2f`.
jball  2010-02-04 03:04:17
hey `%252f` gets me a bad request.
acidzombie24  2010-02-04 03:18:07
Is there a specific error associated with it?
jball  2010-02-04 03:25:43
I just did a test, and I'm able to hyperlink to a file in a folder named `sdlk%252fsd` with `href="/sdlk%252fsd/test.txt"`, so I think you're probably running into a different problem if `%252f` is breaking the request.
jball  2010-02-04 03:31:20
I am using 3.5. I added both to the registry (dword, i double checked both again now) and `validateRequest` (lower v) has already be set to allow `unsafe` POST data. Still no luck :(
acidzombie24  2010-02-09 04:05:28
What OS are you running it on (name and 32/64 bit), and what version of IIS (version number and 32/64 bit)?
jball  2010-02-09 16:53:08
Thats probably the reason, i thought it was a .NET config (from the first link) then IIS. I am using MSVS built in web server. I would like to use IIS8 but i am long from completing development and dont have a server nor access to one.
acidzombie24  2010-02-14 08:12:58
A: 

I wrote my own solution. Its nice to have a username with / but not consider as / when getting a GET request.

acidzombie24  2010-03-01 12:00:19

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps