Best way to escape characters before jquery post ASP.NET MVC

Question

Hello, I am semi-new to ASP.NET MVC. I am building an app that is used internally for my company.

The scenario is this: There are two Html.Listbox's. One has all database information, and the other is initally empty. The user would add items from the database listbox to the empty listbox.

Every time the user adds a command, I call a js function that calls an ActionResult "AddCommand" in my EditController. In the controller, the selected items that are added are saved to another database table.

Here is the code (this gets called every time an item is added):

function Add(listbox) { ...
//skipping initializing code for berevity

var url = "/Edit/AddCommand/" + cmd;

$.post(url);

}

So the problem occurs when the 'cmd' is an item that has a '/', ':', '%', '?', etc (some kind of special character)

So what I'm wondering is, what's the best way to escape these characters? Right now I'm checking the database's listbox item's text, and rebuilding the string, then in the Controller, I'm taking that built string and turning it back into its original state.

So for example, if the item they are adding is 'Cats/Dogs', I am posting 'Cats[SLASH]Dogs' to the controller, and in the controller changing it back to 'Cats/Dogs'.

Obviously this is a horrible hack, so I must be missing something. Any help would be greatly appreciated.

Answer 1

use javascript escaping, it does urlencoding.

Javascript encoding

Then in C# you can simple decode it.

It will look as such

function Add(listbox) { ...
//skipping initializing code for berevity

var url = "/Edit/AddCommand/" + escape(cmd);

$.post(url);

}

Answer 2

Have you tried using the 'escape' function, before sending the data? This way, all special characters are encoded in safe characters. On the server-side, you can decode the value.

function Add(listbox) { ...
//skipping initializing code for berevity

var url = "/Edit/AddCommand/" + escape(cmd);

$.post(url);

}

Answer 3

Have you tried just wrapping your cmd variable in a call to escape()?

Answer 4

Why not just take this out of the URI? You're doing a POST, so put it in the form.

If your action is:

public ActionResult AddCommand(string cmd) { // ...

...then you can do:

var url = "/Edit/AddCommand";
var data = { cmd: cmd };
$.post(url, data);

... and everything will "just work" with no separate encoding step.

Answer 5

You could pass the details as a query string. At the moment I'm guessing you action looks like:

public virtual ActionResult AddCommand( string id )

you could change it to:

public virtual ActionResult AddCommand( string cmd )

and then in you javascript call:

var url = "/Edit/AddCommand?cmd=" + cmd;

That way you don't need to worry about the encoding.

A better way would be if you could pass the databases item id rather than a string. This would probably be better performance for your db as well.