ansaurus

Question

Double/incomplete Parameter Url Encoding

Answer 1

A:

Have you tried using the Server.UrlEncode() method to do the encoding, and the Server.UrlDecode() method to decode?

I have not had any issues with using it for passing items.

Mitchel Sellers 2008-10-27 15:13:07

Thanks for your feedback. Please see my original post for the edit I made. I think my question wasn't clear enough.

borisCallens 2008-10-27 16:05:40

Answer 2

A:

Server.URLEncode or HttpServerUtility.UrlEncode

I see what you're saying now - I didn't realize the question was specific to MVC. Looks like a limitation of that part of the MVC framework - particularly BuildUrlFromExpression is doing some URL encoding, but it knows that also needs some of those punctation as part of the framework URLs.

And also unfortunately, URLEncoding doesn't produce an invariant, i.e.

URLEncode(x) != URLEncode(URLEncode(x))

Wouldn't that be nice. Then you could pre-encode your variables and they wouldn't be double encoded.

There's probably an ASP.NET MVC framework best practice for this. I guess another thing you could do is encode into base64 or something that is URLEncode-invariant.

Cade Roux 2008-10-27 15:13:35

UrlEncode strangely enough doesn't use this http://www.w3schools.com/TAGS/ref_urlencode.asp. Space for example gets encoded to %25.

borisCallens 2008-10-27 15:23:07

HttpUtility.UrlPathEncode does though

borisCallens 2008-10-27 15:24:30

Indeed that is my problem. Thanks for passing by again.

borisCallens 2008-10-28 13:36:16

Answer 3

+2 A:

Parameters should be escaped using Uri.EscapeDataString:

            string url = string.Format("http://www.foo.bar/page?name={0}&amp;address={1}",
                Uri.EscapeDataString("adlknad /?? lkm#"),
                Uri.EscapeDataString(" qeio103 8182"));

            Console.WriteLine(url);
            Uri uri = new Uri(url);
            string[] options = uri.Query.Split('?','&');
            foreach (string option in options)
            {
                string[] parts = option.Split('=');
                if (parts.Length == 2)
                {
                    Console.WriteLine("{0} = {1}",parts[0],
                        Uri.UnescapeDataString(parts[1]));
                }
            }

Marc Gravell 2008-10-27 15:16:49

Thanks for the feedback, but please note the asp.net-mvc tag. I edited my question to clear things up.

borisCallens 2008-10-27 16:04:45

Tags change quickly; I went just by the original question ;-p But fair enough...

Marc Gravell 2008-10-27 22:37:03

Answer 4

A:

Try using the Microsoft Anti-Cross Site Scripting library. It contains several Encode methods, which encode all the characters (including #, and characters in other languages). As for decoding, the browser should handle the encoded Url just fine, however if you need to manually decode the Url, use Uri.UnescapeDataString

Hope that helps.

hmemcpy 2008-10-27 15:19:07

It's a usefull link alright, but I think it's not gonna solve my problem. I tried to make my problem more clear in my edit. Please have a look.

borisCallens 2008-10-27 16:03:44

Answer 5

A:

Escaping of forward slahes and dots in path part of url is prohibited by security reason (althrough, it works in mono).

derigel 2008-11-03 10:11:51

why is that? what with parameters that require these things...I know I should try not to have these, but it's an external data source. People use it to search things. There is no way I can change the data...

borisCallens 2008-11-05 15:17:49

Answer 6

A:

Html.BuildUrlFromExpression needs to be fixed then, would submit this upstream to the MVC project... alternatively do the encoding to the string before passing to BuildUrlFromExpression, and decode it when it comes back out on the other side.

It may not be readily fixable, as IIS may be handling the decoding of the url string beforehand... may need to do some more advanced encoding/decoding for alternative path characters in the utility methods, and decode on your behalf coming out.

Tracker1 2008-12-19 06:41:14

Answer 7

+1 A:

AS others have mentioned, if you encode your string first you aviod the issue.

The MVC Framework is encoding characters that it knows it needs to encode, but leaving those that are valid URL characters (e.g. & % ? * /). This is because these are valid URL characters, although they are special chracters in a URL that might not acheive the result you are after.

Ady 2008-12-23 09:16:17

Wouldn't characters with system-used characters make even more reason to encode them? I don't see any reason why I should pass in a parameter that does already do (part of) the work the actual method is supposed to do.

borisCallens 2009-08-03 09:51:32

It's not because they are system used, but because they are not valid characters according to the URL specification that they are encoded. However other characters that define meaning in a URL are not encoded because the are perfectly valid.

Ady 2009-09-09 10:55:07

Answer 8

A:

I've seen similar posts on this. Too me, it looks like a flaw in MVC. The function would be more appropriately named "BuildUrlFromEncodedExpression". Whats worse, is that the called function needs to decode its input parameters. Yuk.

If there is any overlap between the characters encoded BuildUrlFromExpression() and the characters encoded by the caller (who, I think might fairly just encode any non-alphanumeric for simplicities sake) then you have potential for nasty bugs.

Frank Schwieterman 2008-12-24 18:48:43

ansaurus

tags:

views:

answers:

Double/incomplete Parameter Url Encoding

related questions