ansaurus

Question

Proper way to concatenate a hyperlink into string.

Answer 1

A:

You missed the quotes:

String.Format("This is the link: <a href=\"{0}\">{1}</a>", somevalue1, somevalue2)

User 2009-07-09 09:00:07

Yes but it still won't encode it properly or securely

colithium 2009-07-09 09:03:50

Answer 2

+1 A:

This article talks about how to accomplish this in a secure way using HttpUtility.UrlEncode.

colithium 2009-07-09 09:00:58

I don't believe that's what he's looking for. He's setting the `href` attribute and the text of the anchor. He's not building a URL that needs to have its query string values encoded.

Blixt 2009-07-09 09:12:38

He asked about possible security concerns so I assumed he was taking input from users

colithium 2009-07-09 21:29:43

Answer 3

A:

You could override the .ToString() method of the class which would return the HTML i.e.

public class Hyperlink
{
    private string url;

    public Hyperlink(string URL)
    {
        this.url = URL;
    }

    public string DisplayText { get; set; }
    public string URL { get { return this.url; } } 

    public override string ToString()
    {
        return String.Format(@"<a href=""{0}"">{1}</a>", this.url, this.DisplayText);
    }

}

Then you could do something like:

var hl = new Hyperlink("www.stackoverflow.com");
hl.DisplayText = "Stack Overflow";
var link = String.Format("This is a link: {0}", hl);

Then you can apply whichever encoding you wish to the full string if need be.

James 2009-07-09 09:01:18

Not URL Encoded

colithium 2009-07-09 09:03:00

The question only asked how to put a HTML hyperlink into a string.

James 2009-07-09 09:12:09

Answer 4

A:

If you set what you get from your client to the link'!s href, it always causes a backdoor for injection attacks.

You should use HttpUtility.UrlEncode to encode querystrings of your links, to get secure links.

Canavar 2009-07-09 09:05:00

Answer 5

+3 A:

To avoid HTML injection, you would do this:

String.Format("This is the link: <a href=\"{0}\">{1}</a>",
    HttpUtility.HtmlEncode(somevalue1), HttpUtility.HtmlEncode(somevalue2))

Do not use UrlEncode for HTML values (attributes and text), because it will just look garbled. UrlEncode is for query string values, i.e. page.aspx?param=value+that+has+been+encoded

Blixt 2009-07-09 09:08:01

Answer 6

+3 A:

The below uses HyperLink and should work. However, consider whether you really need an intermediate string in the first place.

using System.Web.UI;
using System.Web.UI.WebControls;

using System.IO;

HyperLink link = new HyperLink(){NavigateUrl="http://stackoverflow.com", Text = "StackOverflow"};
StringWriter sw = new StringWriter();
HtmlTextWriter htw = new HtmlTextWriter(sw);
link.RenderControl(htw);
sw.Close();
String rendered = sw.ToString();

Matthew Flaschen 2009-07-09 09:08:08

+1 for explaining how to get the HTML from the `HyperLink` control.

Blixt 2009-07-09 09:16:33

Thank you. That's what I wanted to know :)

Janis Veinbergs 2009-07-09 10:39:02

ansaurus

tags:

views:

answers:

Proper way to concatenate a hyperlink into string.

related questions