views:

6423

answers:

3

I need to redirect to a url passing a parameter as a query string.

This can include an Ampersand in the value. such as

string value = "This & That";
Response.Redirect("http://www.mysite.com/?Value=" + Server.UrlEncode(value));

This howerver returns http://www.mysite.com/?Value=This+&+That

What should I be using to encode this string?

EDIT: Thanks Luke for pointing out the obvious, the code does indeed work correctly. I Apologise, my question was not a valid question after all!

The page I was going to had a lot of old legacy code which is apprently doing some kinda of encoding and decoding itself making it appear as if my urlencode was not working.

My solution unfortunately is to completely drop use of an & until the code in question can be re-written. Don't you just hate old code!

+3  A: 

Technically doing:

value = value.Replace("&", "%26")

will do the trick.

EDIT: There seem to be some tricky issues with the whole UrlEncode/HttpEncode methods that don't quite do the trick. I wrote up a simple method a while back that may come in handy. This should cover all the major encoding issues, and its easy to write a "desanitizer" as well.

Protected Function SanitizeURLString(ByVal RawURLParameter As String) As String

      Dim Results As String

      Results = RawURLParameter

      Results = Results.Replace("<", "%3C")
      Results = Results.Replace(">", "%3E")
      Results = Results.Replace("#", "%23")
      Results = Results.Replace("%", "%25")
      Results = Results.Replace("{", "%7B")
      Results = Results.Replace("}", "%7D")
      Results = Results.Replace("|", "%7C")
      Results = Results.Replace("\", "%5C")
      Results = Results.Replace("^", "%5E")
      Results = Results.Replace("~", "%7E")
      Results = Results.Replace("[", "%5B")
      Results = Results.Replace("]", "%5D")
      Results = Results.Replace("`", "%60")
      Results = Results.Replace(";", "%3B")
      Results = Results.Replace("/", "%2F")
      Results = Results.Replace("?", "%3F")
      Results = Results.Replace(":", "%3A")
      Results = Results.Replace("@", "%40")
      Results = Results.Replace("=", "%3D")
      Results = Results.Replace("&", "%26")
      Results = Results.Replace("$", "%24")

      Return Results

End Function
Dillie-O
i was hoping for something more... built in...
Robin Day
Zhaph - Ben Duguid
Technically, you only need to 'Sanitize' forward slashes, ampersands, and question marks. URLEncode will do the rest.
BC
For some reason I thought spaces had to be re-encoded to the %20 and not +, or can it go either way?
Dillie-O
@Dillie-O, The recommended encoding for space is now "%20", but historically "+" was used (see page 7 of http://tools.ietf.org/html/rfc1630 for more info). Pretty much all browsers/servers etc will handle either encoding, though I've no idea why .NET still uses the obsolete "+".
LukeH
+5  A: 

The documentation suggests that Server.UrlEncode should handle ampersands correctly.

I've just tested your exact code and the returned string was correctly encoded:

http://www.mysite.com/?Value=This+%26+That

LukeH
You are totally correct! The page I was using was going to had a lot of old legacy code which is apprently doing some kinda of encoding and decoding itself making it appear as if my urlencode was not working. This works correctly.. as it should!!
Robin Day
In situations where you don't have a Server variable, you can also access the urlencode/urldecode methods through System.Web.HttpUtility
Adam Lassek
A: 

Another character that needs escaping is the apostrophe. Replace it with %27.

string url = Server.UrlEncode(value).Replace("'", "%27);

HttpUtility.UrlEncode() And Server.UrlEncode() do not replace this character along with a few others for backwards compatibility with other .Net Frameworks. See this microsoft article for details: http://connect.microsoft.com/VisualStudio/feedback/details/214349/httputility-urlencode-does-not-encode-apostrophe

goku_da_master