I have an ASP.NET page (handler) that works when called using &. However, a third party page which uses my page converts the & to "&" (ampersterand, amp;) and the page throws "Parameter is not valid." error.
I have read that parameters should be encoded with & but it seems to be causing my page to error.
.NET is converting that to ampsterstand,amp, %3
Here is more info on the problem
http://weblogs.asp.net/bleroy/archive/2009/06/05/why-is-asp-net-encoding-amp-s-in-script-urls-a-tale-of-looking-at-entirely-the-wrong-place-for-a-cause-to-a-non-existing-bug.aspx
My problem is that I'm trying to use Facebook which is converting the & to the "and amp" form and I believe that it is causing my code not to work.
This is actually the answer. Facebook was displaying the link with the encoded & which .NET will not accept. However, it was using the unencoded form. The problem was that it couldn't pull from HTTPS protocol.
Basically, AMPSTERSTAND non encoded is required as the parameter deliminator.
Related
I have created web application.I am giving one of web page to client as api.Client can pass parameter to web page like below
Ex: www.domainname.com/Testpage.aspx?name=pinky&city=pune&number=xxxxxxxx
In same page Testpage.aspx,I am accessing/fetching querystring like below.
string s= Request.Querystring["name"];
I am not sure how client can call api.I mean to say from browser or code throught.Whether client use urlencode or not?
from code
www.domainname.com/Testpage.aspx?name=Server.UrlEncode("pinky")&city=Server.UrlEncode("pune")&number=Server.UrlEncode("xxxxxxxx")
will below code work ? or does i need to decode?If client did not use Encode then decode work fine?.I want user querystring value further processing and insert into table.
string s= Request.Querystring["name"];
You need not decode it. If they have entered special characters and not encoded then it will not reach your server-side code at all because it will throw a bad request error. If they have encoded at their end then it will be automatically decoded at your end.
Even If they have not encoded, Your decode will work fine.
I have a web application that places the user's search term in the query string, in a similar way to Google. E.g. the address might be www.example.com/mysearchpage.aspx?q=searchTerm.
Usually this works fine, but if there is a special character in the search term such as â, the action attribute on the form is encoded to percent encoding and the character is replaced with %u00e2.
If I search for chât I will end up with the URL www.example.com/mysearchpage.aspx?q=châtin the browser's address bar but the action attribute on the form that comes back from the server would be www.example.com/mysearchpage.aspx?q=ch%u00e2t which means that a subsequent form submission fails because the URL is incorrectly formatted.
I have ensured that in IIS the encoding is set to be UTF-8 for Requests, Response Headers and Responses. I have also inspected the page being delivered from IIS in Fiddler and that already includes the incorrectly encoded action.
The encoded format appears to be in a non-standard format as explained in this wikipedia article.
Is there a way to prevent IIS from encoding the form's action in this way?
The solution was to add targetFramework=4.5.2 into the httpRuntime tag in the web.config file.
Previously this was not specified but was specified in the compilation tag, however specifying targetFramework=4.5.1 still caused the problem.
We are having a very strange problem on one particular web server (we do not have direct access to the web server, only FTP access).
Our ASP.NET application displays a dataset into a standard GridView. One of the columns in the GridView is a basic template column, with a link redirecting to another page - passing few parameters.
One of the parameters is EmployeeName - and the following page uses that parameter to set a label.
ON this particular web server (WEBSERVER1 in this example)... the resulting link generates an error 404 (page not found)
https://WWW.WEBSERVER1.COM/Customer_011B.aspx?WeekEnding=1/21/2012&GUID=n.a.&EmployeeName=Knutson-Haushalter, Kathleen&ReportToName=Mary Jo Eayrs&Assignment_Id=123772
On another web server (WEBSERVER2 in this example)... the resulting link properly opens the page.
http://WWW.WEBSERVER2.COM/Customer_011B.aspx?WeekEnding=1/21/2012&GUID=n.a.&EmployeeName=Knutson-Haushalter, Kathleen&ReportToName=Mary Jo Eayrs&Assignment_Id=123772
(unfortunately the links above are not rendered correctly
Yes, I am aware that WEBSERVER1 is running under SSL - but am not sure why this would make a difference.
Now, we have verified that the page Customer_011B.aspx is indeed present on WEBSERVER1.
Here comes the puzzle:
If we only remove the EmployeeName parameter, the page displays correctly. All database operations are performed correctly, etc. The only "problem" is that the EmployeeName is not reported in the target label.
In other words:
This DOES NOT work and all we get is error 404
https://WWW.WEBSERVER1.COM/Customer_011B.aspx?WeekEnding=1/21/2012&GUID=n.a.&EmployeeName=Knutson-Haushalter, Kathleen&ReportToName=Mary Jo Eayrs&Assignment_Id=123772
This DOES work and we get to the page and we retrieve all the needed data.
https://WWW.WEBSERVER1.COM/Customer_011B.aspx?WeekEnding=1/21/2012&GUID=n.a.&ReportToName=Mary Jo Eayrs&Assignment_Id=123772
Just in case you are wondering, the only parameter needed by our data access layer is that Assignment_Id number.
Also, note that I enclosed the links in double quotes... so that they would render properly...
Use the UrlEncode and UrlDecode to place the parametres on your url. I see that you use spaces and slash and commas. Parametres with slash/space/comma and other invalid url characters maybe cut or change by enabled url filter on one of the iis server.
I've .NET webservice, which takes a encoded html-string as a parameter, decodes the string and creates a PDF from the html. I want to make a synchronous server side call to the webservice from a classic asp webpage. It works fine if use a plain text string (with no html tags), but when I send a encoded html string the webservice it seems that the string is empty when it reaches the webservice.
The webservice is working fine when I call it from client side, with both plain text string and an encoded html string.
My code looks like this:
Private Sub SaveBookHtmlToPdf(pHtml, pShopId)
Set oXMLHTTP = CreateObject("Msxml2.ServerXMLHTTP.6.0")
Dim strEnvelope
strEnvelope = "pShopId=" & pShopId & "&pEncodedHtml=" & Server.HTMLEncode(pHtml)
Call oXMLHTTP.Open("POST", "https://mydomain.dk:4430/PdfWebservice.asmx/SaveBookToPdf", false)
Call oXMLHTTP.SetRequestHeader("Content-Type","application/x-www-form-urlencoded")
Call oXMLHTTP.Send(strEnvelope)
Set oXMLHTTP = Nothing
End Sub
It smells like some kind of security issue on the server. It's working when posting a asynchronous call from the client side, but not when it comes from server side - it seems that the encoded html string is somehow not allowed in a server side call to the webservice.
Anyone who know how to solve this tricky problem?
This looks all wrong to me:
Server.HTMLEncode(pHtml)
Its quite common for developers to get confused between HTML encoding and URL encoding even though they are quite different. You are posting data that needs to be URL encoded. Hence your code should use URLEncode instead:
strEnvelope = "pShopId=" & pShopId & "&pEncodedHtml=" & Server.URLEncode(pHtml)
Edit:
One thing that URLEncode does that may not be compatible with a URLEncoded post is it converts space to "+" instead of "%20". Hence a more robust approach might be:
strEnvelope = "pShopId=" & pShopId & "&pEncodedHtml=" & Replace(Server.URLEncode(pHtml), "+", "%20")
Another issue to watch out for is that the current value of Response.CodePage will influence how the URLEncode encodes non-ASCII characters. Typically .NET does things by default in UTF-8. Hence you will also want to make sure that your Response.CodePage is set to 65001.
Response.CodePage = 65001
strEnvelope = "pShopId=" & pShopId & "&pEncodedHtml=" & Replace(Server.URLEncode(pHtml), "+", "%20")
This may or may not help but I use a handy SOAP Class for Classic ASP which solved a few problems I was having doing it manually. Your code would be something like this:
Set cSOAP = new SOAP
cSOAP.SOAP_StartRequest "https://mydomain.dk:4430/PdfWebservice.asmx", "", "SaveBookToPdf"
cSOAP.SOAP_AddParameter "pShopId", pShopId
cSOAP.SOAP_AddParameter "pEncodedHtml", Server.HTMLEncode(pHtml)
cSOAP.SOAP_SendRequest
' result = cSOAP.SOAP_GetResult("result")
You will probably need to set your namespace for it to work ("" currently), and uncomment the 'on error resume next' lines from the class to show errors.
AnthonyWJones made the point about URL encoding and HTML encoding, and the original problem being experienced is likely a combine of the two, a race condition if you will. While is was considered answered, it partially wasn't, and hopefully this answers the cause of the effect.
So, as the message get HTMLEncoded, the html entities for the tags become such '<' = '<'.
And as you may know, in URLEncoding, &'s delimit parameters; thus the first part of this data strEnvelope = "pShopId=" & pShopId & "&pEncodedHtml=" & Server.HTMLEncode(pHtml) upto the "&pEncodedHtml" bit, is fine. But then "<HTML>..." is added as the message, with unencoded &'s...and the receiving server likely is delimiting on them and basically truncating "&pEncodedHtml=" as a null assign: "&pEncodedHtml=<HTML>... ." The delimiting would be done on all &'s found in the URL.
So, as far as the server is concerned, the data for parameter &pEncodedHtml was null, and following it were now several other parameters that were considered cruft, that it likely ignored, which just happened to actually be your message.
Hope this provides additional info on issues of its like, and how to correct.
We have taken over a .NET project recently and upon looking at the db we have the following in some columns:
1) Some columns have values such as
" & etc etc
2) Some have <script> tags and other non html encoded tags
This data is displayed all over the site. When trying out HtmlEncoding on point number 1 we get the following " -> "
Obviously we are wanting to htmlencode when displaying as point 2 contains javascript which we don't want executed.
Is there a way to use HtmlEncoded on values that might or might not be already encoded?
Is there a way to use HtmlEncoded on values that might or might not be already encoded?
No there isn't.
What i would suggest is that you write a quick script that goes through the database and unencode the already encoded data. Then use something like the Microsoft AntiXSS library (tutorial here) to encode all output before it gets output to the web page. Remember that it is fine to store the data unencoded1, the danger is when you echo it back out to the end user.
Some controls already encode output using encode functionality built into the .Net framework - which is not bulletproof to XSS - you just have to either avoid using those controls or just not encode the data displayed by them. There is a FAQ question pertaining to the MS controls that encode at the bottom of the page for the first link which you should read. Also some third party control vendors encode the output of their controls, you would do yourself a favor if you test them to make sure they are not still susceptible to XSS.
1Don't forget to take steps to prevent SQL injection though!
Before applying HtmlEncode( "myText" ) use HtmlDecode method to the input text.
That way you will decode your string from:
& quot; & amp; etc etc < script>
to
" & etc etc < script>
and afterwards apply encode "from scratch".