Does ASP.NET MVC Handle *#%":?<> Characters In The URL? - asp.net

I am new to ASP.NET MVC. I am getting an error when i use these characters - *#%":?<> - in URL.
My question is - Does ASP.NET MVC handle *#%":?<> characters in the URL?

RFC 1738:
Thus, only alphanumerics, the special
characters "$-_.+!*'(),", and reserved
characters used for their reserved
purposes may be used unencoded within
a URL.
Of the characters you listed, only * " and - can theoretically be used unencoded. In practice, many sites would encode all the characters you listed.

No, it does not work, even when you encode them.
It is a stupid limitation in ASP.NET.
They do work in the querystring part though, just not the path part.

Take a look at this.. While it does not solve the problem, at least you know you are not alone :)

Look over here: http://www.w3schools.com/TAGS/ref_urlencode.asp
If you want the chars to be transferred as plain chars, you have to encode them, as they have a meaning in urls.

Use encode in url parameter.
Example:
javascript - window.location = 'path?parameter=' + encodeURIComponent(value);
Razor - #Url.Action("Action", new { parameter=Uri.EscapeUriString(#value) })"

Related

Is it better to use a "?" or a ";" in a URL?

In my application, I redirect an HTTP request and also pass a parameter. Example:
http://localhost:9000/home;signup=error
Is it better to use a ; or shall I use a ? i.e. shall I do http://localhost:9000/home;signup=error or http://localhost:9000/home?signup=error?
Are the above two different from each other semantically?
The ? is a reserved character; I have read that this is both valid and invalid, but I have used it for 'slugs' when templating.
Should you choose to use it, percent-encode the query string using %3F which is not human readable, but will produce the ?. (An encoder is recommended)
Perhaps you will find a more suitable solution for your redirects by adding an .htaccess file to your project.

Why is ASP.NET 4 / IIS7 html-encoding my query string?

We've switched one of our test environments to using .NET 4 on IIS7. Production is using .NET 2.
Certain urls, such as
http://www.example.com/page.aspx?param1=<foo>&param2=<foo>
Aren't getting caught by our stringindex code that looks for < or > in Request.Url.ToString(). Why? Because they're showing up as <foo> when we check. This worked in .NET 2.
What is going on?
NOTE: there are no mistakes in the formatting. I really mean HTML encode.
All data in query string needs to be URL Encoded to be able to parse correctly, so if you want to grab what you entered you need to URL Decode the query string.
HttpServerUtility.UrlDecode(Request.QueryString);
http://msdn.microsoft.com/en-us/library/6196h3wt.aspx :
URL encoding ensures that all browsers will correctly transmit text in URL strings. Characters such as a question mark (?), ampersand (&), slash mark (/), and spaces might be truncated or corrupted by some browsers. As a result, these characters must be encoded in tags or in query strings where the strings can be re-sent by a browser in a request string.

asp.Net + encrypted QueryString requested not reading '+' sign

I have an encrypted query string passed from another page, it reads something like "/se73j+sef" but after receiving it, the '+' sign got omitted and became "/se73j sef". Is this normal? Please kindly advice. Thanks.
Is this normal?
Yes, perfectly normal. + is a special character in an url. It means space (0x20 ASCII character). If you want to represent the + sign you will have to url encode it:
/se73j%2Bsef
To url encode a string in .NET you could use the UrlEncode method. Or depending on how you are building the url there are certainly better ways.

Are there any anti-XSS libraries for ASP.Net?

I was reading some questions trying to find a good solution to preventing XSS in user provided URLs(which get turned into a link). I've found one for PHP but I can't seem to find anything for .Net.
To be clear, all I want is a library which will make user-provided text safe(including unicode gotchas?) and make user-provided URLs safe(used in a or img tags)
I noticed that StackOverflow has very good XSS protection, but sadly that part of their Markdown implementation seems to be missing from MarkdownSharp. (and I use MarkdownSharp for a lot of my content)
Microsoft has the Anti-Cross Site Scripting Library; you could start by taking a look at it and determining if it fits your needs. They also have some guidance on how to avoid XSS attacks that you could follow if you determine the tool they offer is not really what you need.
There's a few things to consider here. Firstly, you've got ASP.NET Request Validation which will catch many of the common XSS patterns. Don't rely exclusively on this, but it's a nice little value add.
Next up you want to validate the input against a white-list and in this case, your white-list is all about conforming to the expected structure of a URL. Try using Uri.IsWellFormedUriString for compliance against RFC 2396 and RFC 273:
var sourceUri = UriTextBox.Text;
if (!Uri.IsWellFormedUriString(sourceUri, UriKind.Absolute))
{
// Not a valid URI - bail out here
}
AntiXSS has Encoder.UrlEncode which is great for encoding string to be appended to a URL, i.e. in a query string. Problem is that you want to take the original string and not escape characters such as the forward slashes otherwise http://troyhunt.com ends up as http%3a%2f%2ftroyhunt.com and you've got a problem.
As the context you're encoding for is an HTML attribute (it's the "href" attribute you're setting), you want to use Encoder.HtmlAttributeEncode:
MyHyperlink.NavigateUrl = Encoder.HtmlAttributeEncode(sourceUri);
What this means is that a string like http://troyhunt.com/<script> will get escaped to http://troyhunt.com/<script> - but of course Request Validation would catch that one first anyway.
Also take a look at the OWASP Top 10 Unvalidated Redirects and Forwards.
i think you can do it yourself by creating an array of the charecters and another array with the code,
if you found characters from the array replace it with the code, this will help you ! [but definitely not 100%]
character array
<
>
...
Code Array
& lt;
& gt;
...
I rely on HtmlSanitizer. It is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks.
It uses AngleSharp to parse, manipulate, and render HTML and CSS.
Because HtmlSanitizer is based on a robust HTML parser it can also shield you from deliberate or accidental
"tag poisoning" where invalid HTML in one fragment can corrupt the whole document leading to broken layout or style.
Usage:
var sanitizer = new HtmlSanitizer();
var html = #"<script>alert('xss')</script><div onload=""alert('xss')"""
+ #"style=""background-color: test"">Test<img src=""test.gif"""
+ #"style=""background-image: url(javascript:alert('xss')); margin: 10px""></div>";
var sanitized = sanitizer.Sanitize(html, "http://www.example.com");
Assert.That(sanitized, Is.EqualTo(#"<div style=""background-color: test"">"
+ #"Test<img style=""margin: 10px"" src=""http://www.example.com/test.gif""></div>"));
There's an online demo, plus there's also a .NET Fiddle you can play with.
(copy/paste from their readme)

Server.UrlEncode is not working for " * " ASP.net 3.5

Why?
Server.UrlEncode("2*")
return 2*
while it should return 2%2A
as tested on this demo site
RFC 1738 specifically allows * in the URL:
Thus, only alphanumerics, the special characters "$-_.+!*'(),", and
reserved characters used for their reserved purposes may be used
unencoded within a URL.
So, there is no need to encode it.
The page you link to is a classic asp page so uses UrlEncode, so quite an old implementation and not the .NET one.
According to .NET, * is a 'safe' character and needs not to be encoded.
Whether this is actually correct or not, I do not know.

Resources