IE (6 & 7) iFrame Querystring Parameters Set In .NET MVC Page Not Working, Seemed Stripped, But Appear In Tact On Page Source

Question

We're using .NET MVC, and we're trying to dynamically (through the controller) set the iFrame's URL. This worked fine on FireFox and Chrome, but not Ie. On Ie only the first case site lets the user log through correctly. The v10 and v9 sites don't. All sites use querystring params to log in. Their source looks like this (unsuccessful source in IE) - no visible difference.

• Also, we tried that whole IE7 Security setting Enabled for navigating to frame within another domain - that wasn't the problem; it still doesn't work. Also doesn't work on IE6. Same results as in the screenshots below.

• Also Html Encoding hasn't worked (not shown, but tried).

Any ideas would be so awesome!

td { font-family: Arial; font-size: small; }  

                    <input type="submit" name="butSubmit" value="MyDg" />

                    <input type="submit" name="butSubmit" value="V9" />

             </td>
        </tr>
    </table>

        <iframe id="displayFrame" src="http://my.totallyinsecuretopostthis.com/Login.aspx?&amp;uname=sdavis&amp;pword=04ab" style="width: 100%; height: 95%;"></iframe>
    </form>

---

successful source in IE7:

td { font-family: Arial; font-size: small; }

                    <input type="submit" name="butSubmit" value="MyDg" />

                    <input type="submit" name="butSubmit" value="V9" />

             </td>
        </tr>
    </table>

        <iframe id="displayFrame" src="http://www.totallyinsecuretopostthis.com/users/428/login/700bc1c8d837f30fdbc03cfc03b58c02" style="width: 100%; height: 95%;"></iframe>
    </form>

---

Code snippet (first View, then Controller):

<%@ Page Language="C#" Inherits="System.Web.Mvc.ViewPage" %> <%@ Import Namespace="Wingnut.Data.Model"%>

td { font-family: Arial; font-size: small; } <% using (Html.BeginForm("Navigate", "Account", FormMethod.Post)) { %> <% TempData["username"] = Model.WingnutUserEmail; %> <% TempData["password"] = Model.PasswordHash; %>   <% if (Model.IsV10User()) { %> <% } %> <% if (Model.IsV9User()) { %> <% } %> <% string url = ViewData["iFrameURL"].ToString(); %> <% if (ViewData["iFrameURL"].ToString() != "popup") { %> " style="width: 100%; height: 95%;"> <% } %>

(now Controller code:)

[AcceptVerbs(HttpVerbs.Post)] public ActionResult Navigate(string butSubmit) { _service = new SSOUserService(); SingleSignOnUser wnUser = _service.GetValidUser(TempData["username"].ToString(), TempData["password"].ToString());

        ViewData["iFrameURL"] = "http://www.usatoday.com";

        try {
            //if you are supposed to bypass the intersect page...
            if (wnUser != null) {
                switch (butSubmit) {
                    case "WN":
                        if (wnUser.IsWingnutUser())
                            ViewData["iFrameURL"] = string.Format("http://www.totallyinsecuretopostthis.com/users/{0}/login/{1}", wnUser.WingnutId, wnUser.WingnutToken);
                        else {
                            // do popup to capture this person's correct, but uncaptured, Wingnut password
                            // try to authenticate, if can, save, and proceed
                            // else, give error message / popup finally
                            ViewData["iFrameURL"] = "popup";
                            ViewData["popupText"] = "Oops. During the Totallyinsecuretopostthis's recent Single Sign On effort, we require that you enter your Totallyinsecuretopostthis" +
                                "password for us here one time only for authentication to SomePlace:";
                        }
                        break;

                    case "MyDg":
                        if (wnUser.IsV10User()) {
                            ViewData["iFrameURL"] =
                                string.Format(@"http://my.totallyinsecuretopostthisv10.com/Login.aspx?&uname={0}&pword={1}",
                                              wnUser.V10UserCredentials.LoginName,
                                              wnUser.V10UserCredentials.Password);
                        }
                        break;

                    case "V9":
                        if (wnUser.IsV9User()) {
                            ViewData["iFrameURL"] =
                                string.Format(
                                    @"https://login.totallyinsecuretopostthisv9.com/clients/OtherPages/ExternalSignIn.aspx?UserName={0}&Password={1}",
                                    wnUser.V9UserCredentials.LoginName, wnUser.V9UserCredentials.Password);
                        }
                        break;
                }
            }
        }

        catch (Exception ex) {
            ModelState.AddModelError("Errors", ex.Message);
        }

        return View("Navigation", wnUser);
    }

---

Answer 1

Use HttpUtility.HtmlAttributeEncode to encode the ampersand in the URL:

ViewData["iFrameUrl"] = HttpUtility.HtmlAttributeEncode( string.Format( ... ) );

I would suggest doing it while rendering the <a> tag in the view instead of hardcoding it in the controller.

Answer 2

It's not something to do with the "?&" at the beginning of the querystring?

Try just: http://my.totallyinsecuretopostthis.com/Login.aspx?uname=sdavis&amp;pword=04ab

Answer 3

Finally I found a hack / resolution - I never did get the iFrame src="mystring" to work, but I did create a hack. B/c the site we're trying to navigate to, we own; so on that site we created a 'mirror' page. The pages look identical

1 - my original page with the iFrame, but not I have an HREF, and when you click to go where I originally wanted...

2 - you hit that login page, and are logged in... but I added querystring params to this login page (we also own this site), and if sso=true, and you are authenticated, you are redirected to...

3 - a page on the Site B with an iFrame that looks identical to the page on Step #1.

It's a hack, and a lot more work, but it 'works,' and is the best for the user's experience that we could ultimately create.

*** Thank you to you guys who provided answers, as well as anyone looking. I appreciate the help so much!