0

I'm using PushSharp to handle push notifications for iOS.

Everything went well until I realized the way I'm handling the push isn't too powerful:

apnsBroker.QueueNotification(new ApnsNotification {

            DeviceToken = device.DeviceIdentifier,
            Payload = JObject.Parse("{\"aps\":{\"alert\" : {\"title\" : \"" + title 
            + "\", \"body\" : \"" + body + "\"}, \"badge\":" + badgeCount + "}, " + 
            "\"entity_id\" : \"" + entityId + "\", \"category_id\" : \"" + categoryId + "\", \"sub_id\" : \"" + subId
            + "\"}")
        });

Edit / Update One of the parameters I am trying is \t\ud83d\uddbc️\ (basically I wanted to pass in the unicode character of the picture frame emoji, so it can be rendered in the APNS alert). It is breaking currently.

I am sending that in C# like this: @"\t\ud83d\uddbc️\"

So as you can see, I'm rendering out the JSON Payload and this framework takes in a JObject. The problem, as I immediately assumed during my code review, is that if any of those parameters above (title, body, etc) end up being strings such as { or " or { etc that it will "break" the JSON because JObject can't parse that as valid JSON.

What do you think I should do in this case? Do I have to encode it and I suppose the only drawback would be I have backslashes or something in the encoding? Any recommendations to permit the user input (title and body can be free form text so anything is possible).

Thank you in advance for any advice!

EDIT

Thank you again Zero for your help.

var escapedString = JsonConvert.ToString(normalString);

saved the day. It's important to note that if you are using this, then escapedString should not be wrapped in ""'s since it will already be escaped (as he mentioned below).

NullHypothesis
  • 4,286
  • 6
  • 37
  • 79
  • Bit off-topic but it would be a lot easier to read the string if you used `@` or `$`. That would avoid using escapes all the time. – Zer0 Mar 29 '19 at 01:32
  • so you mean using string interpolation? See I was wondering that.. but would that actually help me regardless? Meaning like $(" 'Body' : '{body}' ..) however even then if body contains ' or " or { it would still break no? – NullHypothesis Mar 29 '19 at 01:36
  • I'm looking to provide you an answer, it's just hard to read as is. `@` is for verbatim string literals and `$` is interpolation. – Zer0 Mar 29 '19 at 01:38
  • `JsonConvert.ToString(@"\t\ud83d\uddbc️\");` works fine for me. Can you post the code you're using based on my answer? And why it's not working? – Zer0 Mar 29 '19 at 03:28

1 Answers1

1

As long as your variables are quoted (inside ") there's no need to escape braces ({ and })

As for breaking the quote (having ") inside variables, you could do something like this:

//Escapes quotes
param = param.Replace(@"""", @"\""");

You also need to escape the escape char itself \

//Escapes backslash
param = param.Replace(@"\", @"\\");

Also, here are all valid escapes.

If you're using Newtonsoft.Json they have a method to do this for you.

Example usage below or take a look here. Be aware this will add quotes to the string for you.

//Or use the return value inline with interpolation "$" or concatenation "+"
var escapedString = JsonConvert.ToString(normalString);
Zer0
  • 7,191
  • 1
  • 20
  • 34
  • Thanks this is good. So putting it all together, what I should do is have everything as one long string with $ and inside my variables within {} I should do JsonConvert.ToString(body, ',', StringEscapeHandling.EscapeHtml) on each variable? What am I putting as the delimiter? – NullHypothesis Mar 29 '19 at 02:15
  • @NullHypothesis Using `$` was just a suggestion, it is not needed. But yes I would just convert each variable into a JSON string. I'll edit my answer with a simpler approach. – Zer0 Mar 29 '19 at 02:21
  • going to try this now :) – NullHypothesis Mar 29 '19 at 03:02
  • hey @zer0 so are you saying I should only do JsonConvert.ToString(body)? I think I saw you write that above, but I just used a value of:“ { test: test} \ut23r2 and it failed (failed to parse JSON) – NullHypothesis Mar 29 '19 at 03:14
  • @NullHypothesis Use `JsonConvert.ToString` on each of the user entered parameters (which could contain characters that need escaping for Json). Basically every variable you're currently concatenating with `+`. – Zer0 Mar 29 '19 at 03:17
  • @NullHypothesis If you tried something and it failed, please edit your question with the code you used and I'll help. – Zer0 Mar 29 '19 at 03:17
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/190882/discussion-between-zer0-and-nullhypothesis). – Zer0 Mar 29 '19 at 03:27