Issue with Base64-encoded parameter in query string

Question

I'm sending a link in my web application to users mails (for confirming user registration) as the following :

<a target="_blank" href="http://localhost:2817/ConfirmRegistration?confirm=Y0tcmGepe7wjH7A1CT1IaA==">
http://localhost:2817/ConfirmRegistration?confirm=Y0tcmGepe7wjH7A1CT1IaA==
</a>

But Chrome alert this message :

Chrome Message

Is the query string invalid ? How can I resolve it ?

BTW:
My application is in C# and MVC3

possible duplicate of [Non Standard Web Address Format](http://stackoverflow.com/questions/1788558/non-standard-web-address-format) — nemesv, Jun 26 '12 at 11:27
Possible duplicate of [Passing base64 encoded strings in URL](http://stackoverflow.com/questions/1374753/passing-base64-encoded-strings-in-url) — pixel, Jan 17 '17 at 10:31

score 8 · Answer 1 · answered Jan 25 '18 at 11:13

I was using HttpUtility.UrlEncode but I had problems if the base64 encoded string contained a "+" sign. It was correctly being encoded to "%2b" but when it was coming back from the browser it was interpreted as a space. So, I used two simple encode/decode methods instead:

public static string UrlEncodeBase64(string base64Input)
{
    return base64Input.Replace('+', '.').Replace('/', '_').Replace('=', '-');
}

public static string UrlDecodeBase64(string encodedBase64Input)
{
    return encodedBase64Input.Replace('.', '+').Replace('_', '/').Replace('-', '=');
}

score 4 · Accepted Answer · answered Jun 26 '12 at 11:31

4

You should URL encode the confirm parameter. The error you get is because of the last == fragment.

For this use HttpServerUtility.UrlEncode or similar framework methods.

answered Jun 26 '12 at 11:31

Marcel N.

13,726
5
47
72

I've user `Url.Encode` and the confirm query string changed to `?confirm=Y0tcmGepe7wjH7A1CT1IaA%3d%3d`, but google alert the same message again ! – Mohammad Dayyan Jun 27 '12 at 02:08
1

I had problems with "+" signs being interpreted as spaces so I had to replace the three unsafe base64 chars myself instead, see: https://stackoverflow.com/a/48441540/236008 – Lee Gunn Jan 25 '18 at 11:15

score 1 · Answer 3 · answered Jun 26 '12 at 11:31

1

You should probably URL encode the parameter value since = is itself used to separate a parameter name from a parameter value.

answered Jun 26 '12 at 11:31

Jesper

7,477
4
40
57

score 1 · Answer 4 · edited Jul 19 '19 at 11:46

You can send your value by replacing two char + to _ and / to -:

string confirm=confirm.Replace('+', '_').Replace('/', '+');

<a target="_blank" href="http://localhost:2817/ConfirmRegistration?confirm=@confirm">
http://localhost:2817/ConfirmRegistration?confirm=@confirm
</a>

and you can get your data in server side by using:

if (Request.QueryString["confirm"] != null && Request.QueryString["confirm"].ToString() != "")
{
       string confirm = HttpUtility.HtmlDecode(Request.QueryString["confirm"]).Replace('_', '+').Replace('-', '/');
}

score 0 · Answer 5 · answered Sep 30 '20 at 08:10

0

If you are using ASP.net core you can use WebEncoders.Base64UrlEncode and WebEncoders.Base64UrlDecode

answered Sep 30 '20 at 08:10

Nirbhay Jha

491
5
13

Issue with Base64-encoded parameter in query string

5 Answers5

Linked