I have a situation where I need to put a url inside a GET variable.
for example:
'http://www.site.com/StepOne?b=1&afterUrl=http://www.site.com/StepTwo?someVar=text&b=1'
In this case, when I am at StepOne the b param value will be 1,1 and not 1 as expected.
the afterUrl param will be:
'http://www.site.com/StepTwo?someVar=text'
instead of this:
'http://www.site.com/StepTwo?someVar=text&b=1'
How do I isolate the afterUrl param so its own GET variables won't effect the entire URL.
When you are creating the afterUrl URL parameter, be sure to UrlEncode() the value.
e.g.
var url = String.Format("http://www.site.com/StepOne?b={0}&afterUrl={1}", b, Server.UrlEncode(afterUrl));
Consider using HttpUtility.UrlEncode() for the AfterURL
(EDIT or Server.URLEncode() as others have pointed out)
"http://www.site.com/StepOne?b=1&afterUrl=" +
HttpUtility.UrlEncode(http://www.site.com/StepTwo?someVar=text&b=1");
Then when you finally hit the "StepOne" page you can use HttpUtility.UrlDecode(AfterURL variable name). From there you can Response.redirect or whatever you want with the preserved after url.
Use Server.UrlEncode on someVar to escape out it's querystring values before putting it in the link. You may need to use Server.UrlDecode on the other side to convert it back to the original characters.
Quite simply, you need to URL encode the afterUrl param (actually, you should URL encode all parameters passed to a server), which will turn "http://www.site.com/StepTwo?someVar=text&b=1" into "http%3A%2F%2Fwww.site.com%2FStepTwo%3FsomeVar%3Dtext%26b%3D1", which won't affect the set of parameters. Almost any server framework on the market will automatically decode that back into the string "http://www.site.com/StepTwo?someVar=text&b=1", or at least give you a function to do so yourself.
EDIT:
As this SO question shows, it is possible to URL encode a string without using System.Web, using System.Net.Uri.EscapeDataString().
Related
I am creating a link that creates URL parameters that contains links with URL parameters.
The issue is that I have a link like this
http://mydomain/_layouts/test/MyLinksEdit.aspx?auto=true&source=
http://vtss-sp2010hh:8088/AdminReports/helloworld.aspx?pdfid=193
&url=http://vtss-sp2010hh:8088/AdminReports/helloworld.aspx?pdfid=193%26pdfname=5.6%20Upgrade
&title=5.6 Upgrade
This link goes to a bookmark adding page where it reads these parameters.
auto is wheather to read the following parameters or not
source is where to go after you finish adding or cancelling
url is the bookmark link
title is the name of the bookmark
The values of url and title get entered into 2 fields. Then the user has to click save or cancel.
The problem is when the bookmark page enters the values into the field, it will decode them.
Then if you try to save, it will won't let you save because the pdfname value in the url value has a space in it. It needs the link to not have any spaces. So basically, I want it so that after it enters it in the field, it will still be a %20 instead of a space.
There isn't a problem with source, auto, or title, just the url...
Is there a way to solve this? Like maybe a special escape character I can use for the %20?
Note: I cannot modify the bookmark page.
I am using c#/asp.net to create the link and go to it.
Thanks
Since .NET Framework 4.5 you can use WebUtility.UrlEncode.
It resides in System.dll, so it does not require any additional references.
It properly escapes characters for URLs, unlike Uri.EscapeUriString
It does not have any limits on the length of the string, unlike Uri.EscapeDataString, so it can be used for POST requests
System.Net.WebUtility.UrlEncode(urlText)
Another option is
System.Uri.EscapeDataString()
Uri.EscapeDataString() and Uri.UnescapeDataString() are safe comparing to UrlEncode/UrlDecode methods and does not convert plus characters into spaces when decoding.
Some details from another user: http://geekswithblogs.net/mikehuguet/archive/2009/08/16/134123.aspx
Just use HttpUtilty's UrlEncode method right before you hand off the url;
string encoded = HttpUtility.UrlEncode(url);
I am stumped on this scenario. Basically I have an URL that is passed to a aspx page and then I try to get query string from the URL, but what happens is when I try to get the query string from the URL it omits the '+' and replaces it with an whitespace.
My URL = http://localhost:3872/Test.aspx?mt=jan1TNIixxA1+8tl/0vLLg2PPGq0vMOLEhFQNuG4AJU12VMZpnWTrgar82K5UlXatQT9E9EAUet+q7rq7FoTJf+S2JnSbIptgJDY1EZwRPJDTROktfu5zy25oydmSHB6a4oZetV5mI3s+0R7vW8I0S9d765RHdYU2xkRuojHYZU=
Request["mt"] =jan1TNIixxA1 8tl/0vLLg2PPGq0vMOLEhFQNuG4AJU12VMZpnWTrgar82K5UlXatQT9E9EAUet q7rq7FoTJf S2JnSbIptgJDY1EZwRPJDTROktfu5zy25oydmSHB6a4oZetV5mI3s 0R7vW8I0S9d765RHdYU2xkRuojHYZU=
As you can see these two strings are different.
I thought it was the object to string conversion but this does not seem to be the case cause the value of the object has the omitted '+' before conversion.
What can be done to avoid this character replacement (I want to try and avoid string manipulation)
Also what could the cause of this be?
you are getting that because + is the url encoded representation of space " ". If you want to preseve the plus sign in your value you will need to url encode it:
Send that querystring in URL encoded formate and then you will get the expected result.
see: why Request.QueryString replace + with empty char in some cases?
You can use
MyUrl = MyUrl.Replace("+",#"%2B");
The problem is the '+' character is being converted to whitespace if you use httprequest. If you convert it to its hex value, you can pass it with no problem.
You should use HttpUtility.UrlEncode to generate you parameter value. Currently it seems you are using base64 encoding which is not optimal for query parameters.
Use this:
mt=encodeURIComponent(mt);//if mt be --> jan1TNIixxA1+8tl/0vLLg2PPGq0vMOLEhFQNuG4AJU12VMZpnWTrgar82K5UlXatQT9E9EAUet+q7rq7FoTJf+S2JnSbIptgJDY1EZwRPJDTROktfu5zy25oydmSHB6a4oZetV5mI3s+0R7vW8I0S9d765RHdYU2xkRuojHYZU=
Response.Redirect("Test.aspx?"+mt);
this will encode your URL and after this '+' will converted to "%2B" and if you want to read encoded URL it will not converted to space.
from here
If it is really so important to avoid changing the string when you send it, you could chanhe it AFTER you get ir from httprequest. Maybe you could use:
MyUrl = (Request["mt"].Replace(" ","+"));
There is no possibility to pass the space in url, so when you have a space, you can be sure that there was a '+' in there.
You can get the query string using following method
string strQuery = Request.Url.Query;
I searched SO and found similar questions, but none compared all three. That surprised me, so if someone knows of one, please point me to it.
There are a number of different ways to parse the query string of a request... the "correct" way (IMO) should handle null/missing values, but also decode parameter values as appropriate. Which of the following would be the best way to do both?
Method 1
string suffix = Request.QueryString.Get("suffix") ?? "DefaultSuffix";
Method2
string suffix = Request.QueryString["suffix"] ?? "DefaultSuffix";
Method 3
NameValueCollection params = HttpUtility.ParseQueryString(Request.RawUrl);
string suffix = params.Get("suffix") ?? "DefaultSuffix";
Method 4
NameValueCollection params = HttpUtility.ParseQueryString(Request.RawUrl);
string suffix = params["suffix"] ?? "DefaultSuffix";
Questions:
Would Request.QueryString["suffix"] return a null if no suffix was specified?
(Embarrassingly basic question, I know)
Does HttpUtility.ParseQueryString() provide any extra functionality over accessing Request.QueryString directly?
The MSDN documentation lists this warning:
The ParseQueryString method uses query strings that might contain user input, which is a potential security threat. By default, ASP.NET Web pages validate that user input does not include script or HTML elements. For more information, see Script Exploits Overview.
But it's not clear to me if that means ParseQueryString() should be used to handle that, or is exposed to security flaws because of it... Which is it?
ParseQueryString() uses UTF8 encoding by default... do all browsers encode the query string in UTF8 by default?
ParseQueryString() will comma-separate values if more than one is specified... does Request.QueryString() do that as well, or what happens if it doesn't?
Which of those methods would correctly decode "%2b" to be a "+"?
Showing my Windows development roots again... and I would be a much faster developer if I didn't wonder about these things so much... : P
Methods #1 and #2 are the same thing, really. (I think the .Get() method is provided for language compatibility.)
ParseQueryString returns you something that is the functional equivalent of Request.Querystring. You would usually use it when you have a raw URL and no other way to parse the query string parameters from it. Request.Querystring does that for you, so in this case, it's not needed.
You can't leave off "suffix". You either have to pass a string or an index number. If you leave off the [] entirely, you get the whole NameValueCollection. If you mean what if "suffix" was not one of the QueryString values then yes; you would get null if you called Request.QueryString["suffix"].
No. The most likely time you would use it is if you had an external URL and wanted to parse the query string parameters from it.
ParseQueryString does not handle it... neither does pulling the values straight from Request.QueryString. For ASP.NET, you usually handle form values as the values of controls, and that is where ASP.NET usually 'handles' these things for you. In other words: DON'T TRUST USER INPUT Ever. No matter what framework is doing what ever for you.
I have no clue (I think no). However, I think what you are reading is telling you that ParseQueryString is returning UTF-8 encoded text - regardless if it was so encoded when it came in.
Again: ParseQueryString returns basically the same thing you get from Request.QueryString. In fact, I think ParseQueryString is used internally to provide Request.QueryString.
They would produce the equivalent; they will all properly decode the values submitted. If you have URL: http://site.com/page.aspx?id=%20Hello then call Request.QueryString["id"] the return value will be " Hello", because it automatically decodes.
Example 1:
string itsMeString = string.IsNullOrEmpty(Request.QueryString["itsMe"]) ? string.Empty : HttpUtillity.UrlDecode(Request.QueryString["itsMe"]);
Stright to your questions:
Not quite sure what do you mean by suffix, if you are asking what happens if the key is not present(you don't have it in the QueryString) - yes it will return null.
My GUESS here is that when constructed, Request.QueryString internally calls HttpUtillity.ParseQueryString() method and caches the NameValueCollection for subsequential access. I think the first is only left so you can use it over a string that is not present in the Request, for example if you are scrapping a web page and need to get some arguments from a string you've found in the code of that page. This way you won't need to construct an Uri object but will be able to get just the query string as a NameValueCollection if you are sure you only need this. This is a wild guess ;).)
This is implemented on a page level so if you are accessing the QueryString let's say in Page_Load event handler, you are having a valid and safe string (ASP.NET will throw an exception otherwise and will not let the code flow enter the Page_Load so you are protected from storing XSS in your database, the exception will be: "A potentially dangerous Request.QueryString value was detected from the client, same as if a post variable contains any traces of XSS but instead Request.Form the exception says Request.QueryString."). This is so if you let the "validateRequest" switched on (by default it is). The ASP.NET pipeline will throw an exception earlier, so you don't have the chance to save any XSS things to your store (Database). Switching it off implies you know what you're doing so you will then need to implement the security yourself (by checking what's comming in).
Probably it will be safe to say yes. Anyway, since you will in most cases generating the QueryString on your own (via JavaScript or server side code - be sure to use HttpUtillity.UrlEncode for backend code and escape for JavaScript). This way the browser will be forced to turn "It's me!" to "It%27s%20me%21". You can refer to this article for more on Url Encoding in JavaScript: http://www.javascripter.net/faq/escape.htm.
Please elaborate on that, couldn't quite get what do you mean by "will comma-separate values if more than one is specified.".
As far as I remember, none of them will. You will probably need to call HttpUtillity.UrlDecode / HttpUtillity.HtmlDecode (based on what input do you have) to get the string correctly, in the above example with "It's me!" you will do something like (see Example 1 as something's wrong with the code formatting if I put it after the numbered list).
I'm devloping a C#/ASP.Net app and I'm trying to find a means of breaking down a URL into its component parts, then swapping out, or deleting these parts and creating a new URL.
For example if I have the following URL:
https://www.site.com/page.aspx?parm1=value1&parm2=value2
I'd like to split the URL down into:
Protocol (http, https, ftp, etc)
Domain (www.site.com)
Page (page.aspx)
URL parameters (parm1 = value1, parm2 = value2)
Once the URL is split down I'd like to manipulate each of the parts, for example:
add or remove parameters
change the value of parameters
change the page from page.aspx to page2.aspx
Then once I'm done create a new URL ready for use with the above changes.
I've checked out the MSDN documentation etc and can't find a utility class in .Net to take care of this. Any ideas?
Cheers,
Steve
The framework comes with the UriBuilder class for this purpose.
It has get/set properties for the things you need:
Protocol: Scheme property
Domain: Host property
Page: Path property (will give you whole path, you might need to do some processing here).
Parameters: Query property (exposed as a string, you might need to do some processing on the string your self).
When you are done manipulating the UriBuilder, use the Uri property to get the result as a Uri object, or just ToString() if you just need the URL as a string.
Start by using UriBuilder (see driis's answer).
To parse the Query property use:
NameValueCollection q=HttpUtility.ParseQueryString(uri.Query);
You actually get an HttpValueCollection (internal) - so when you later call q.ToString() you'll get an url encoded query string back.
Since the class is internal you need to call
NameValueCollection q=HttpUtility.ParseQueryString("");
if you want to build the query string from scratch.
How to I format a query string so it looks like this
search?q=power+tools
currently it looks like this
search?q=power%20tools
Is there a way to do this without replacing the space for a plus sign?
HttpServerUtility.UrlDecode
In a ASP.NET page HttpServerUtility instance can be accessed by Page.Server property.
Not really. HttpUtility.UrlEncode encodes it that way, and that is what is used by pretty much everything in ASP.NET.
Besides, from memory %20 is actually correct for query strings, and + is correct for URLs. Ignore this, it's incorrect.