Consider a link to a page for a user's profile. A page is creating that URL like this:
//Model.Name has value "<bad guy>"
Html.ActionLink("foo, "ViewUser", new { id=5, title=Url.Encode(Model.Name) })
The actual outcome was
http://mysite/Users/5/%253cbad%2guy%253e
When navigating to that URL, the server generates a HTTP Error 400 - Bad Request.
The problem surfaces when testing out 'interesting' user inputs with <
and >
, but anything could come from the user, and therefore be put in a URL by way of Model.Name
.
Question:
Given that the Model.Name
may contain Unicode characters, or characters otherwise illegal in URLs:
- what's the best way to strip out illegal characters, or otherwise encode them?
- should the user's input be sanitized BEFORE being saved to the database, thereby preventing the encoding attempt above?
- which characters should be sanitized (i.e. not allowed) when thinking of having that string be part of a URL?