If I have a URL value http://Localhost/default.aspx?ts=/+m2dAZZA3DaavaaupUXkZL83n7TwmCVm
Request.QueryString[ts] is giving me
/ m2dAZZA3DaavaaupUXkZL83n7TwmCVm
How to ensure that I get all the value from the Querystring
is there an encoding or something?
Use: http://Localhost/default.aspx?ts=/%2Bm2dAZZA3DaavaaupUXkZL83n7TwmCVm instead.
Special characters in URLs are formatted as %XX where XX is the hex representation of the ASCII value. In this case, the + sign is 43, thus our URL value will be %2B.
whatever code that generates your URL needs to escape it properly. Use HttpUtility.UrlEncode() server-side or ecodeURIComponent() client-side
try using Server.urlencode and Server.urldecode or use %2B instead of +
Here is list of encodings to use for such characters.
Do not use a + in the parameter value. Instead, choose another character that is URL friendly and will not otherwise be used. Replace the + before adding the value to the URL. Then replace it with a + when the value is retrieved.
Related
I have a div which will receive a CSS background image from user chosen URL, like so:
background-image: url("/* user specified URL here*/")
How should I escape the URL so that it's safe to embed in the CSS? Is escaping the quotes enough?
If you are setting the background url through JS, then the correct and safe ways is using encodeURI() and wrapping in quotes.
node.style.backgroundImage = 'url("' + encodeURI(url) + '")';
Is escaping the quotes enough?
No, you also should worry about backslashes and newlines.
Here is the CSS grammar for a double quoted URI:
http://www.w3.org/TR/CSS21/grammar.html#scanner
"([^\n\r\f\\"]|\\{nl}|{escape})"
where {nl} is
\n|\r\n|\r|\f
and {escape} is a backslash-escaped character. So a trailing backslash will break your CSS. A non-escaped newline likewise.
I would strongly recommend to remove all whitespace and finally escape " and \
Since the user data that you need to insert into CSS can be treated like a URL, and not just a string, you only need to ensure that it is properly URL-encoded.
This is safe because a well-formed URL does not contain any characters that are unsafe in CSS strings; except for apostrophe ('), which is not a problem as long as you use double quotes for your CSS string: url("...")
A simple way to do this is to URL-encode all characters that are not "reserved" or "unreserved" in URLs. According to RFC 3986, that would be all characters except for these:
A-Z a-z 0-9 ; , / ? : # & = + $ - _ . ! ~ * ' ( ) # [ ]
That is what encodeURI() does in Mārtiņš Briedis's JavaScript answer. (With one exception: encodeURI() encodes [ and ], which is mostly inconsequential.)
In addition to that, you might consider only allowing URLs that begin with https: or data:. By doing this you can prevent mixed content warnings if the page is served over HTTPS, and also avoid the javascript: issue Alexander O'Mara commented on.
There might be other URL parsing and validation that you want to do, but that is outside the scope of this question.
If you need to insert user data into a CSS string that cannot be treated like a URL, then you would need to do CSS backslash escaping. See user123444555621's answer for more on that.
const style = "background-image: url(\"" + CSS.escape(imageUrl) + "\")";
See https://developer.mozilla.org/en-US/docs/Web/API/CSS/escape
It is an experimental new thing, but it seems to be quite well supported (as of 2021).
I am passing a string param into flex application as FlashVars
The param sometime contains special characters, everything shows fine except + sign which gets replaced by blank when it reaches flex.
Here is the scenario for eg.
I have a local variable in JS that gets some values and for this example it can be taken as following
<script language="JavaScript" type="text/javascript">
var testVar = "some_test_string_that_contains_+_character";
</script>
Then to my Flex object AC_FL_RunContent I pass "FlashVars","test="+testVar
In the flex code on Init of application I have written
var testValue:String = application.parameters["testVar"].toString();
Alert.show(testValue);
Now this shows fine except the + character gets replaced by blank. It doesnt happens with other characters like /,#$-_ but the + character.
Any help regarding this will be greatly appreciated.
From Adobe's docs:
About flashVars properties encoding
The values of the flashVars properties
must be URL encoded. The format of the
string is a set of name-value pairs
separated by an ampersand (&). You can
escape special and nonprintable
characters with a percent symbol (%)
followed by a two-digit hexadecimal
value. You can represent a single
blank space using the plus sign (+).
Looking further down at one of the comments from matthew horn, it looks like you can use %2B to pass the + character.
What's the difference between HttpServerUtility.UrlPathEncode and HttpServerUtility.UrlEncode? And when should I choose one over the other?
UrlEncode is useful for query string values (so to the left or especially, right, of each =).
In this url, foo, fooval, bar, and barval should EACH be UrlEncode'd separately:
http://www.example.com/whatever?foo=fooval&bar=barval
UrlEncode encodes everything, such as ?, &, =, and /, accented or other non-ASCII characters, etc, into %-style encoding, except space which it encodes as a +. This is form-style encoding, and is best for something you intend to put in the querystring (or maybe between two slashes in a url) as a parameter without it getting all jiggy with the url's control characters (like &). Otherwise an unfortunately placed & or = in a user's form input or db value value could break things.
EDIT: Uri.EscapeDataString is a very close match to UrlEncode, and may be preferable, though I don't know the exact differences.
UrlPathEncode is useful for the rest of the query string, it affects everything to the left of the ?.
In this url, the entire url (from http to barval) should be run through UrlPathEncode.
http://www.example.com/whatever?foo=fooval&bar=barval
UrlPathEncode does NOT encode ?, &, =, or /. It DOES, however, like UrlEncode, encode accented/non-ASCII characters with % notation, and space also becomes %20. This is useful to make sure the url is valid, since spaces and accented characters are not. It won't touch your querystring (everything to the right of ?), so you have to encode that with UrlEncode, above.
Update: as of 4.5, per MSDN reference, Microsoft recommends to only use UrlEncode. Also, the information previously listed in MSDN does not fully describe behavior of the two methods - see comments.
The difference is all in the space escaping - UrlEncode escapes them into + sign, UrlPathEncode escapes into %20. + and %20 are only equivalent if they are part of QueryString portion per W3C. So you can't escape whole URL using + sign, only querystring portion. Bottom line is that UrlPathEncode is always better imho
You can encode a URL using with the UrlEncode() method or the UrlPathEncode() method. However, the methods return different results. The UrlEncode() method converts each space character to a plus character (+). The UrlPathEncode() method converts each space character into the string "%20", which represents a space in hexadecimal notation. Use the UrlPathEncode() method when you encode the path portion of a URL in order to guarantee a consistent decoded URL, regardless of which platform or browser performs the decoding.
http://msdn.microsoft.com/en-us/library/4fkewx0t.aspx
To explain it as simply as possible:
HttpUtility.UrlPathEncode("http://www.foo.com/a b/?eggs=ham&bacon=1")
becomes
http://www.foo.com/a%20b/?eggs=ham&bacon=1
and
HttpUtility.UrlEncode("http://www.foo.com/a b/?eggs=ham&bacon=1")
becomes
http%3a%2f%2fwww.foo.com%2fa+b%2f%3feggs%3dham%26bacon%3d1
I need to pass '+' via the QueryString.
some special character can be passed by using 'Encode' .. but '+'
I know the one solution, If I replace '+' with other character.
But it's not the perfect solution.
[edited]
well I used escape() javascript function to encode.
escape function can't encode + . is the another function to encode on javascript?
Rather than handling on a case by case basis, with Javascript you can encode all data you pass via query string with encodeURIComponent
<script>
var data = ")(#&^$#*&^#!(!*++=";
var encodedData = encodeURIComponent(data);
alert(encodedData);
</script>
Use %2b to pass the + character.
The space character is usually passed as %20.
The same way, the plus sign can be passed as %2B
In ASCII, the hex code for + is 2B, so you should be able to just use %2B instead of +.
http://www.google.com/search?q=c%2B%2B+java
I need to pass 2 parameters in a query string but would like them to appear as a single parameter to the user. At a low level, how can I concatinate these two values and then later separate them? Both values are Base64 encoded.
?Name=abcyxz
where both abc and xyz are separate Base64 encoded strings.
why don't you just do something like this
temp = base64_encode("var1=abc&var2=yxz")
and then call
?Name=temp
Later you can decode the whole string and split the vars.
(sry for pseudo code :P)
Edit: a small quote from wikipedia
The current version of PEM (specified in RFC 1421) uses a 64-character alphabet consisting of upper- and lower-case Roman alphabet characters (A–Z, a–z), the numerals (0–9), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code. The original specification, RFC 989, additionally used the "*" symbol to delimit encoded but unencrypted data within the output stream.
You should either use some separator or store the length of the first item.
First of all, I would be curious as to why you can't just pass two parameters. But with that as a given, just choose any character that's a valid character in a URL query string, but won't show up in your base64 encoding, such as ~