How exactly does Url Encoding work? - asp.net-mvc

In MVC, I'm attempting to use URL routing to get the result of an action given a certain input.
Consider the following in my view:
<%=Html.ActionLink("View", "Test", new with {.id = Url.Encode(dir\file}) %>
My controller then uses HttpUtility.UrlDecode(id) to get the original. The controller itself is using File() to retrieve a file at the specified directory\file location. However, an error message pops up telling me that
A potentially dangerous Request.Path value was detected from the client (%).
The URL is showing up as
http://home/dir%255cfile.txt
I googled Url Encoding and \ is encoded as %5c. Where is the %25 coming from? It's the encoding for %, but that means Encode is being done twice. Why is that, and is that supposed to be happening?

Html.ActionLink takes care of the URL encoding for you. If you don't encode the params there, there's no need to decode it again and your issue is solved.

Related

Thymeleaf th:text displaying wrong value on encoded parameter

The URL of the template is:
http://localhost:8080/login?error=Usu%E1rio%20inexistente%20ou%20senha%20inv%E1lida
where, for example, %E1 is á
I'm trying to display the value of the param error on the page using this code:
but a wrong value with special character is being displayed.
Welcome to SO.
I see two ways you can try:
1) Use the utility for an HttpServletRequest:
<p th:utext="${#httpServletRequest.getParameter('error')}">[error message]</p>
This is getting the value of the error parameter from the request.
2) Use the typical usage for getting the value of a param:
<p th:utext="${param.error}">[error message]</p>
In either case, you can use th:if to check for null. You can use utext to get the unescaped text so that unusual characters display.
Also, check that your character encoding is set to UTF-8. In your config, it would look something like:
resolver.setCharacterEncoding(StandardCharsets.UTF_8.name());
or
resolver.setCharacterEncoding("UTF-8");
Instead of trying to decode the URL, I first encoded the error message where it was generated using URLEncoder.encode(errorMessage). So, the URL changed to http://localhost:8080/login?error=Usuário+inexistente+ou+senha+inválida. Then, I didn't need to decode. I only used th:text="${param.msgError}

Use base64 encoded string in url cakephp

here is the solution for php Passing base64 encoded strings in URL
but because of urlencode cakephp problem I cant use it (the solution in there is not good for me)
Passing an urlencoded URL as parameter to a controller / action at CakePHP
Rawurlencode does not work either. Also I cant hash it because I need it to be reversible. Or is there some "reversible" hash function. I know that the meaning of hash is for one way, but like some way to get output similar(so I can use in the url without problems) to md5/sha* but be able to reverse.
QSN: how to use base64 encoded string in url to avoid problems, mentioned in the above link.

Can someone tell me how to create a QR code for a url with parameters

I've tried using a few web pages to create QR code to create a QR for a regular url and they fine.
However, if I had parameters to the url, the resulting url does not decode properly.
If you try this
http://chart.apis.google.com/chart?cht=qr&chs=500x500&choe=UTF-8&chld=H&chl=http://localhost?someparam=1&someotherparam=2
instead of the QR code pointing to http://localhost?someparam=1&someotherparam=2
the Barcodescanner decoder apps on Android and iPhone point to
http://localhost/?someparam=1&someotherparam=2
The forward slash / between what would be the server name (domain name) and the start of the parameter string is obviously incorrect.
I'm assuming that it's something to do with url encoding and I'm just looking for a pointer in the right direction from someone who might had already cracked this nut.
Zxing's QR code generator has the same effect. But it seems to rely on Google also.
http://zxing.appspot.com/generator/
Also
http://d-project.googlecode.com/svn/trunk/misc/qrcode/js/sample.html
You need to URL-encode each parameter value, in your example, the chl parameter in particular. Most languages have libraries for this these days or a web search for "url encoder " will give you a form.
The url encoding of http://localhost?someparam=1&someotherparam=2 is http%3A%2F%2Flocalhost%3Fsomeparam%3D1%26someotherparam%3D2.
Also, any parameter values to a URL that is itself a parameter value have to be independently URL encoded as well.
As Sean mentions below, if you enter your URL into the form on the appspot page, it correctly URL encodes the chart url:
http://chart.apis.google.com/chart?cht=qr&chs=350x350&chld=L&choe=UTF-8&chl=http%3A%2F%2Flocalhost%3Fsomeparam%3D1%26someotherparam%3D
I'm not sure about your extra / comment. If you go to the URL you give, the code value is
http://localhost?someparam=1
which is what is expected because the chl parameter value is not escaped and therefore ends at the first &.

How send parameters with decimal point in url?

I’m using Backbone.js and Rails.
In Backbone.js I use HTML5 push state to set filter parameters in a url.
When the page is reloading I want to pass these parameters to Rails.
I encoded a parameter lat:34.34+lng:45.23 using JavaScript’s encodeURIComponent. It encoded:
/users/nearby/lat:34.34+lng:45.23/
as:
/users/nearby/lat%3A34.34%2Blng%3A45.23
but this route is not found.
If I delete the points from url, it works.
How can I send parameters with a decimal point?
The . is not a character that has to be encoded. Is this causing issues server side?
See here for more details:
http://www.blooberry.com/indexdot/html/topics/urlencoding.htm
I solved my problems adding an "extra" slash to the end of the url.
In your encoded url it is missing.
Hope this helps
One manifestation of this problem is in URL pattern matching, where the Query Param is expected (i.e. matched) to be an integer. This does not match a number with a decimal point. So you get a 404 (URL not found).

How can I send a GET request containing a colon, to an ASP.NET MVC2 controller?

This works fine:
GET /mvc/Movies/TitleIncludes/Lara%20Croft
When I submit a request that contains a colon, like this:
GET /mvc/Movies/TitleIncludes/Lara%20Croft:%20Tomb
...it generates a 400 error. The error says ASP.NET detected invalid characters in the URL.
If I try url-escaping, the request looks like this:
GET /mvc/Movies/TitleIncludes/Lara%20Croft%3A%20Tomb
...and this also gives me a 400 error.
If I replace the colon with a | :
GET /mvc/Movies/TitleIncludes/Lara%20Croft|%20Tomb
..that was also rejeted as illegal, this time with a 500 error. The message: Illegal characters in path.
URL-escaping that | results in the same error.
I really, really don't want to use a querystring parameter.
related:
Sending URLs/paths to ASP.NET MVC controller actions
I found that URL encoding did not work, but custom encoding did.
I guess ASPNET MVC uses the filesystem to do the parsing and routing, because a character in the URL that is not legal in the filesystem, causes a 500 or 400 error.
So what I did was replace colons with the unicode
¡ character in the javascript side, and then do the converse in the action. like this:
browser:
function myEscape(s){
return s.replace(':', '%C2%A1').trim();
}
in the action, call this conversion before using the argument:
private string MyCustomUnescape(string arg)
{
return arg.Replace("¡", ":");
}
The same approach works for slashes - just pick a different unicode character. Of course if your string arguments themselves are unicode, then you'll have to use non-printable characters for the "encoded" forms.
If SEO is not a problem you may use base64 and then urlencode that. After the first step every character you'll have will be easily encoded. Decoding in .NET is as easy as using the helper in System.Web.HttpUtility and System.Convert.
Similar answered here:
https://stackoverflow.com/a/12037000/134761
Use question mark and ampersands for arguments and URL encode the arguments.
Example: GET /mvc/Movies/TitleIncludes?title=Lara%20Croft%3A%20Tomb
I agree it would be nice to encode things into the url as well, but there is probably a good reason not to.

Resources