Parameters with + sign within the custom URL

Question

I'm trying to reference an image like this:

<img src="/controller/method/@Model.attribute">

This works until the attribute has a plus sign. I already know that the + sign has a semantic meaning but I'd like to keep it, because some values have the plus sign.

I've tried:

<img src="/controller/method/@HttpUtility.HtmlEncode(@Model.attribute)">

And on the server side:

public method(string param)
{
   string p = HttpUtility.HtmlDecode(param);
}

How can I accomplish this using ASP.NET MVC 5?

Sounds like you need to html encode the attribute that you are trying to use in the url. — Shane Ray, Mar 12 '18 at 16:45
I've edited the question: forgot the HtmlEncode on the view. — Joao Victor, Mar 12 '18 at 16:46
Related: [(Please) Stop Using Unsafe Characters in URLs](https://perishablepress.com/stop-using-unsafe-characters-in-urls/) — NightOwl888, Mar 12 '18 at 18:10

score 2 · Answer 1 · answered Mar 12 '18 at 16:46

2

You need to use UrlEncode:

<img src="/controller/method/@HttpUtility.UrlEncode(Model.attribute)">

And do nothing in the method:

public ActionResult method(string param){
    // param should already be decoded
}

answered Mar 12 '18 at 16:46

Steve Harris

5,014
1
10
25

my url stays like this: "/controller/method/samsung%20Galaxy%20A8" I tried with: "/controller/method/samsung%20Galaxy%20A8+" And with "/controller/method/samsung%20Galaxy%20A8%2B", but both don't work. – Joao Victor Mar 12 '18 at 17:10

score 1 · Accepted Answer · answered Mar 12 '18 at 18:46

1

Did some testing and got error page while trying to reproduce scenario you described. Here is related question: double escape sequence inside a url : The request filtering module is configured to deny a request that contains a double escape sequence

answered Mar 12 '18 at 18:46

cycaHuH

3,240
1
14
11

Zoran Horvat · Answer 3 · 2018-03-12T17:02:15.550

In my designs, I'm avoiding any direct use of model fields as part of the URL. It's not only the question of URL-encoding them - which you can always do - but also the question of readability.

What I do instead is to add another field to the model, which is the URL-ready representation of an attribute. That field can be calculated from the original field by only accepting letters and numbers and replacing spaces or any other character with a dash.

For example, if you had the attribute set to someone's pencil + one, the auto-created URL version of this attribute would be someone-s-pencil-one.

You can customize this process, make it recognize some domain-specific words, etc. But that is the general idea I'm always following in my designs.

As a quick solution you can use a regular expression to isolate acceptable words and then separate them with dashes for better readability:

string encoded = string.Join("-",
    Regex.Matches(attributeValue, @"[a-zA-z0-9]+")
        .Cast<Match>()
        .Select(match => match.Value)
        .ToArray());

When done this way, you must account for possible duplicates. Part of the information is lost with this encoding.

If you fear that two models could clash with the same URL, then you have to do something to break the clash. Some websites append a GUID to the generated URL to make it unique.

Another possibility is to generate a short random string, like 3-5 letters only, and store it in the database so that you can control its uniqueness. Everything in this solution is subordinated to readability, keep that in mind.

When i checked my url, the spaces are encoded, but the + sign is not: "/controller/method/samsung%20Galaxy%20A8+" I've tried using %2B and %252B but it won't work. It's like the encoding is working 'partially' — Joao Victor, Mar 12 '18 at 17:37
Now i've used Url.EscapeUristring() and my string gets encoded: "/controller/method/samsung%20Galaxy%20A8%2B" But it still doesn't fire the controller method. What could it be? — Joao Victor, Mar 12 '18 at 18:02

Parameters with + sign within the custom URL

3 Answers3