Escape + (plus) in URI

Question

When user enters an e-mail on my web site, I send an e-mail verification e-mail that contains a link. Link looks something like:

http://mysite.com/[email protected]&token=12341234

This particular user's e-mail contains '+' (plus), so link looks like:

http://mysite.com/[email protected]&token=12341234

when link is clicked (at least in Firefox) plus is replaced with a space.

Question: What URL encoding function do I use in .net to escape the plus.

Note: Uri.EscapeUriString(email) leaves plus intact.

Answer 1

You could try the UrlEncode method:

string encodedEmail = HttpUtility.UrlEncode(email);

Answer 2

You can use Uri.EscapeDataString instead - I've just verified that that converts "Foo+Bar" into "Foo%2BBar".

To be honest, I'd appreciate it if MS provided a little more guidance on the difference between these methods, as well as HttpUtility.UrlEncode (which isn't available on all platforms).

Answer 3

The best thing you can do is to hash or encrypt the e-mail address, or somewhat "include" it on your token.

That way, your link can look like: http://mysite.com/VerifyEmail?token=12341234480348204023

Or: http://mysite.com/VerifyEmail?emailcode=A124E4F325O425FE5F4J6636K66L&token=12341234

If you follow the hash route, remember that Base64 also uses + for its encryption. The common practice is to replace it by an @ or something else:

var emailcode = Convert.ToBase64String(GetHashBytes(email)).Replace('+', '@');

Then, when you perform the confirmation:

var emailcodebytes = Convert.FromBase64String(Request["code"]).Replace('@', '+');