0

I'm trying to trim an exception message with the below code:

Response.Redirect("IllegalCharactersError.aspx?error=");
string message = ex.Message;
string cleanMessage = message.Substring(message.IndexOf("=") + 1);
Session.Add("IllegalCharactersError", cleanMessage.Replace("\\", ""));

Here is a sample of the string: A potentially dangerous Request.Form value was detected from the client 

(ctl00$Main$EmployerRegistrationCtrl$CompanyDetails$CompanyTradingAs="'<'My Company Trading").

I only want to display '<'My Company Trading but my label is displaying \"'<'My Company Trading\"). with back slashes so its not displaying and I cant seem to remove, any ideads how to acheive this?

Thanks Darren

Anne
  • 26,765
  • 9
  • 65
  • 71
Darren
  • 67
  • 10
  • Are those backslashes in the label on the asp.net page, or in the debugger? The latter tries to display a string in a format that you could use in code: with escaped quotes. So then those backslashes aren't really in the string. – Hans Kesting Nov 15 '11 at 08:56

2 Answers2

2

You should use HttpUtility.HtmlEncode:

lbl.Text = HttpUtility.HtmlEncode(value);

Use HttpUtility.HtmlDecode to read the Text of the label later:

string value = HttpUtility.HtmlDecode(lbl.Text);

If you want to transfer the error-message via URL, you need HttpUtility.UrlEncode and later HttpUtility.UrlDecode.

But i'm not sure where you are getting the backslashes from. The original error-message has none, are you masking it somewhere?

For the sake of completeness, here you find informations how you prevent the "dangerous Request.Form value"-error: A potentially dangerous Request.Form value was detected from the client

Community
  • 1
  • 1
Tim Schmelter
  • 450,073
  • 74
  • 686
  • 939
  • No, not at this point. HTML encoding should be done at the point where the text is really *inserted* into the HTML context, not at arbitrary places. – Roland Illig Nov 15 '11 at 08:18
  • @Roland: He is showing the text in an ASP.NET Label. Isn't that a point where text is *inserted* into the HTML context?! – Tim Schmelter Nov 15 '11 at 08:21
  • Yes, it is. I only concentrated on the larger block of code from the question, and in that code I didn't see any need for encoding. – Roland Illig Nov 15 '11 at 08:25
1

Did you make the IllegalCharactersException (or however it is called in your example) yourself? If you did, you should add some useful properties to it:

ex.OffendingValue
ex.Field

These properties should be filles when the exception is thrown.

That saves you from parsing the string at all.

Roland Illig
  • 40,703
  • 10
  • 88
  • 121
  • The IllegalCharactersException is just a page I redirect to, Im using HttpRequestValidationException, I would be interested in how you would create your own exeption with those properties though. Thanks – Darren Nov 16 '11 at 01:10
  • I just read the documentation for `HttpRequestValidationException`, and it didn't sound as if there were additional useful data besides the `ex.Message`. You might have a look at `ex.Data`, and if there is nothing useful in it, parsing the message is the way to go. – Roland Illig Nov 16 '11 at 08:03