views:

93

answers:

1

Consider a link to a page for a user's profile. A page is creating that URL like this:

//Model.Name has value "<bad guy>"
Html.ActionLink("foo, "ViewUser", new { id=5, title=Url.Encode(Model.Name) })

The actual outcome was

http://mysite/Users/5/%253cbad%2guy%253e

When navigating to that URL, the server generates a HTTP Error 400 - Bad Request.

The problem surfaces when testing out 'interesting' user inputs with < and >, but anything could come from the user, and therefore be put in a URL by way of Model.Name.

Question: Given that the Model.Name may contain Unicode characters, or characters otherwise illegal in URLs:

  • what's the best way to strip out illegal characters, or otherwise encode them?
  • should the user's input be sanitized BEFORE being saved to the database, thereby preventing the encoding attempt above?
  • which characters should be sanitized (i.e. not allowed) when thinking of having that string be part of a URL?
+1  A: 

One way is to use base 64 encoding on any parameters that might contain the special characters.

See here for an example:

Allowing special characters in ASP.Net MVC URL parameters
http://gathadams.com/2009/01/06/allowing-special-characters-forward-slash-hash-asterisk-etc-in-aspnet-mvc-urls/

Robert Harvey