ASP.NET MVC - creating and handling with URLs with Greater Than and Less Than characters

Question

Consider a link to a page for a user's profile. A page is creating that URL like this:

//Model.Name has value "<bad guy>"
Html.ActionLink("foo, "ViewUser", new { id=5, title=Url.Encode(Model.Name) })

The actual outcome was

http://mysite/Users/5/%253cbad%2guy%253e

When navigating to that URL, the server generates a HTTP Error 400 - Bad Request.

The problem surfaces when testing out 'interesting' user inputs with < and >, but anything could come from the user, and therefore be put in a URL by way of Model.Name.

Question: Given that the Model.Name may contain Unicode characters, or characters otherwise illegal in URLs:

what's the best way to strip out illegal characters, or otherwise encode them?
should the user's input be sanitized BEFORE being saved to the database, thereby preventing the encoding attempt above?
which characters should be sanitized (i.e. not allowed) when thinking of having that string be part of a URL?

score 2 · Answer 1 · answered Apr 09 '10 at 03:03

2

One way is to use base 64 encoding on any parameters that might contain the special characters.

See here for an example:

Allowing special characters in ASP.Net MVC URL parameters
http://gathadams.com/2009/01/06/allowing-special-characters-forward-slash-hash-asterisk-etc-in-aspnet-mvc-urls/

answered Apr 09 '10 at 03:03

Robert Harvey

178,213
47
333
501

See http://stackoverflow.com/questions/1228701/code-for-decoding-encoding-a-modified-base64-url for a good example on how to use base 64 encoding...and decoding – w4ik Oct 07 '11 at 16:13

ASP.NET MVC - creating and handling with URLs with Greater Than and Less Than characters

1 Answers1