3

I recently created a question on how to use signs like / and + in a URL but that brought me to another question, how do I replace spaces in my URL, and why?

If my url is something.com/Find/this is my search, why is that wrong? why do we need to change it to something.com/Find/this+is+my+search

I have been searching and trying solutions for over 5 hours now. Everywhere I look the answer is the same, use httputility.urlencode or Uri.escapeDataString. But I have tried doing that like this:

string encode = Uri.EscapeDataString(TextBoxSearch.Text);
Response.Redirect("/Find/" + encode );

string encode = HttpUtility.UrlEncode(TextBoxSearch.Text);
Response.Redirect("/Find/" + encode );

string encode = encode.replace(" ", "+")
Response.Redirect("/Find/" + encode);

None of these work, they do not replace the space with anything (string.replace does but this also causes the string to change, which means it can't find values in the database on the next page).

If I encode the entire URL then all my / turn in to % and that is obviously not what I want.

What I need

If I redirect like this Response.Redirect("/Find/" + search);.
And I make a search like this "Social media".
I then get the queryString on the next page and use it to load info from my database.
Now I want to display info about Social media from my database.
but at the same time I want the url to say Find/Social+media.

EDIT:

What I try: 

string encode = HttpUtility.UrlEncode(TextBoxSearch.Text);
Response.Redirect("/Find/" + encode);

This gives me a "404.11 - The request filtering module is configured to deny a request that contains a double escape sequence." on Requested URL http://localhost:65273/Find/social+media

in my Find.aspx onLoad():

IList<string> segments = Request.GetFriendlyUrlSegments();
string val = "";
for (int i = 0; i < segments.Count; i++)
    {
       val = segments[i];
    }
search = val;
Rodal
  • 131
  • 1
  • 1
  • 9
  • 2
    That isn't a valid url, spaces in urls are `%20` – Sayse Mar 09 '15 at 09:47
  • When I run on localhost and make a search using spaces it works fine. even without "+" replacement. But after I have read I understand I cant use spaces in the url so how do I replace them? – Rodal Mar 09 '15 at 09:49
  • Your browser will turn them into `%20`, so no worries. – Patrick Hofman Mar 09 '15 at 09:50
  • How is your URL picked up? Do you use ASP.NET MVC? – Patrick Hofman Mar 09 '15 at 10:05
  • I use asp.net webforms. I added how I read the querystring – Rodal Mar 09 '15 at 10:07
  • A 404 indicates the page can't be found. How is your URL matched? Any rule you can share? – Patrick Hofman Mar 09 '15 at 10:10
  • I added ` ` To my web.config and now the query goes through without a 404. However The database tries to load `Social+media` instead of `Social media` – Rodal Mar 09 '15 at 10:12
  • @Rodal: That doesn't explain the 404. Try to decode the URL before you search for it in the database. – Patrick Hofman Mar 09 '15 at 10:15
  • "The IIS7 request filter rejects URLs containing + characters. We do this because the + character is a dangerous choice.". I tried decoding, didnt work, so I did `string.replace("+", " "); ` and that works. Just feels lika a "hack" solution, it also says doing this makes me weaker against injections – Rodal Mar 09 '15 at 10:19
  • 1
    A space isn't less safe than a plus sign. – Patrick Hofman Mar 09 '15 at 10:21
  • I get that, the replace is just so that my database can load the value. I hoenstly dont know what else I can do. Just using your solution gives me a 404 no matter what I do, it wont allow "double spacing" without modifying the web.config file – Rodal Mar 09 '15 at 10:25
  • @PatrickHofman is there any Encoding that turns the space in to %20? Since the + seems to not work fo me for some reason, not without having to use string.replace("+", " "); when I load the querystring, and I also have to mess with my web.config security which I dont like – Rodal Mar 09 '15 at 10:42

2 Answers2

6

HttpUtility.UrlEncode replaces spaces with +, but as Patrick mentioned, it is better to use %20. So, you can accomplish that using String.Replace.

var encode = TextBoxSearch.Text.Replace(" ", "%20");

That said, you should also encode the value to prevent any kinds of XSS attacks. You could do both of these by first encoding, then replacing the + from the value.

var encode = HttpUtility.UrlEncode(TextBoxSearch.Text).Replace("+", "%20");
NightOwl888
  • 55,572
  • 24
  • 139
  • 212
  • Using this gives me the url `http://localhost:65273/Find/social media` but if I copy and paste it in here it says `http://localhost:65273/Find/social%20media`. Does my browser remove the `%20`? – Rodal Mar 09 '15 at 10:31
  • Some browsers try to humanize the url, so that is possible indeed. – Patrick Hofman Mar 09 '15 at 10:32
  • It seems FF does this. Cus in Chrome I get the %20. Too bad this only deals with spaces and not signs like /, +, () etc. But my questions was how to replace a space so this will be the accepted answer – Rodal Mar 09 '15 at 10:35
4

It is perfectly fine to replace a space with %20, since that is the escaped form of a space. %20 is URL safe, so you can use that.

In fact, %20 is just the hexadecimal value of the ASCII code for space. Using HttpUtility.UrlEncode is enough.

It is better to use %20 instead of + as explained in this answer: When to encode space to plus (+) or %20?.

Community
  • 1
  • 1
Patrick Hofman
  • 153,850
  • 22
  • 249
  • 325
  • right, but how do I do it? I cant get anything to change my querystring, whatever I try the space stay a space in the url. – Rodal Mar 09 '15 at 09:50
  • Encoding the URL is enough. The string returned in .NET is good. – Patrick Hofman Mar 09 '15 at 09:51
  • Is it because Im running localhost then? So basically I do not need to encode anything? `Response.redirect("/Find/" + search)` will work? – Rodal Mar 09 '15 at 09:51
  • If you use `HttpUtility.UrlEncode` you are all set. What doesn't work? – Patrick Hofman Mar 09 '15 at 09:52
  • 1
    If I do `string encode = HttpUtility.UrlEncode(TextBoxSearch.Text); Response.Redirect("/Find/" + encode );` then the resulting URL after a serach is still "localhost/Find/here are spaces". they do not get replaced with %20. – Rodal Mar 09 '15 at 09:54
  • @Rodal: `HttpUtility.UrlEncode("aa bb")` makes it `aa+bb` here. So that is fine. – Patrick Hofman Mar 09 '15 at 09:57
  • bah, then I do not understand =/ Does not work here. If I encode the entire url then it changes some `/` and stuff but if I just encode the querystring it does not replace my spaces. – Rodal Mar 09 '15 at 09:58
  • @Rodal: Can you give an example URL? – Patrick Hofman Mar 09 '15 at 10:00
  • @Rodal did it work, I have the same issue? Tried everything. – Junaid Dec 04 '20 at 18:09