Encoded character is used instead the correct one

Question

I have a little problem and I'm hopping that you can help me solve this annoying issue.

I need to use an iFrame in an administration panel to let users use the selection service, and in the HTML I have:

<iframe scrolling="yes" runat="server" title="Par Selection" id="iFrame"
    frameborder="0" enableviewstate="true" width="100%" height="490" />

in my code-behind file I have:

iFrame.Attributes.Add("src", String.Format(
            "https://www.parurval.se/urval/?username={0}&password={1}",
            parSettings.GetSettings(parSettings.SettingsType.PARSelection, parSettings.SectionType.Username),
            parSettings.GetSettings(parSettings.SettingsType.PARSelection, parSettings.SectionType.Password)));

The output is this:

<iframe id="tcMain_tabPARSelection_iFrame" scrolling="yes" title="Par Selection" 
   frameborder="0" width="100%" height="490" 
   src="https://www.parurval.se/urval/?username=myUsername&amp;amp;password=myPassword"&gt;
</iframe>

Please note the & instead & sign in the src address when passing username and password

How can I prevent this?

I tried with HttpUtility.Decode( myCompleteUrl ) but with the same achievement :(

The worst thing is, if the src code has only the address

... src="https://www.parurval.se/urval/" ...

I'm not able to input the user/pwd, I see the form and I can enter text, but it does nothing, it only refreshes the iframe inner page, doing this in a full window, works fine.

And in that administration panel I have a textbox to the user add the username and password in order that entering the Administration page, I will jump directly to the service in the iFrame so the user does not need to enter user/pwd to login every time, that is way I'm trying to add those values dynamically.

Any ideas?

Added: If I put the correct URL address (with user and pwd) in the iFrame src attribute in the HTML side (not dynamically) all works fine :(

Answer 1

This seems like a case where you can take advantage of URL encoding to hide the &, bypassing XML encoding. & is U+0025, so you can encode it as %25: https://www.parurval.se/urval/?username={0}%25password={1}

Answer 2

You should use

     HttpUtility.HtmlEncode(String.Format("https://www.parurval.se/urval/?username={0}&password={1}",            
parSettings.GetSettings(parSettings.SettingsType.PARSelection, parSettings.SectionType.Username),            
parSettings.GetSettings(parSettings.SettingsType.PARSelection, parSettings.SectionType.Password)));

Answer 3

The presense of the & is actually correct there. Most browsers are forgiving enough not to choke on just seeing & there, but it's technically not correct.

Answer 4

“&” is a special character in HTML (more specifically in SGML), so encoding it is the correct thing to do. Yes, even in link URLs.

Answer 5

The HTML 4.01 specification states:

Authors should use "&" (ASCII decimal 38) instead of "&" to avoid confusion with the beginning of a character reference (entity reference open delimiter). Authors should also use "&" in attribute values since character references are allowed within CDATA attribute values.

So encoding the & as & is correct behavior since the interpretation of the src attribute value (CDATA data type) is described as:

CDATA is a sequence of characters from the document character set and may include character entities. User agents should interpret attribute values as follows:

• Replace character entities with characters,
• Ignore line feeds,
• Replace each carriage return or tab with a single space.

Otherwise src attribute values like /foo?bar&sect=123 would be ambiguous as they can be interpreted either literally as /foo?bar&sect=123 or (replacing the sect entity) as /foo?bar§=123.