开发者

ASP.NET MVC - creating and handling with URLs with Greater Than and Less Than characters

Consider a link to a page for a user's profile. A page is creating that URL like this:

//Model.Name has value "<bad guy>"
Html.ActionLink("foo, "ViewUser", new { id=5, title=Url.Encode(Model.Name) })

The actual outcome was

http://mysite/Users/5/%253cbad%2guy%253e

When navigating to that URL, the server generates a HTTP Error 400 - Bad Request.

The problem surfaces when testing out 'interesting' user inputs with < and >, but anything could come from the user, and therefore be put in a URL by way of Model.Name.

Question: Given that the Model.Name may contain Unicode characters, or characters otherwise illegal in URLs:

  • what's the best way to strip out illegal characters, or otherwise encode them?
  • should the user's input be sanitized BEFORE being saved to the database, thereby preventing the encoding attempt above?
  • which characters should be sanitized (i.e. not allowed) when thinking of having tha开发者_JAVA技巧t string be part of a URL?


One way is to use base 64 encoding on any parameters that might contain the special characters.

See here for an example:

Allowing special characters in ASP.Net MVC URL parameters
http://gathadams.com/2009/01/06/allowing-special-characters-forward-slash-hash-asterisk-etc-in-aspnet-mvc-urls/

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜