Forums Register Login

encoding url paramaters

+Pie Number of slices to send: Send
our system uses user entered codes as the item's ID.
Years ago it was decided to be ultra friendly and allow all sorts of punctuation to be valid in these codes.

so both & and ; are valid in the string.

We have been solving this by encoding the parameter, and then encoding the whole URL, so double encoding.

Well we have now tried using IIS and it is complaining about double encoding, I have since discovered the double encoding attack, and am concerned.

All of our internal SQL is written using prepared statements. But we want to save the setup burden on our customers.

Presuming we do want to change how should we encode the strings to make them safe in URLs?
Or is IIS being overly cautious and we should save ourselves the effort.
+Pie Number of slices to send: Send
I would try to avoid the whole double encoding business altogether. I imagine that whatever view technology you're using has a way to build URLs, much in the same way that you can build SQL query's using prepared statements. Prepared URLs, if you will.

What frameworks are you guys using?
+Pie Number of slices to send: Send
we are using ExtJs, if i remember correctly the jaxrs helpfully decodes the url, then chunks the parameters out

so http://www.blah;id=wendy;bleugh;nextthing=boo

throws errors about the parameter bleugh and formatting or some such thing, we implemented this solution a couple of years ago so can't remember the exact error.

Thanks

+Pie Number of slices to send: Send
I'm really surprised that I can't find a convenient URI builder in either plain JavaScript or ExtJS. This seems like it would be a common issue. Regardless, implementing one yourself wouldn't be very difficult.

You could write a function that takes an URI without query string, and an associative array mapping query parameter names to values.

Use encodeURI() on the URI, and use Ext.urlEncode() on the associative array. You can then just paste the two results together with a "?" and you're done.
+Pie Number of slices to send: Send
I have been playing with this this morning, and your right it isn't overly complicated.
I was hoping somebody was going to say don't bother IIS is being silly, but actually the code impact isn't too big yet
An elephant? An actual elephant. Into the apartment. How is the floor still here. Hold this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com


reply
reply
This thread has been viewed 451 times.
Similar Threads
URLDecoder.decode problem
Struts(JPF+NetUI+Bea Workshop)-IIS-How to get domain name from URL (Internet & Intranet )
Common Functionality in all the pages.
difference between urlencoding and urlrewriting
Please offer an alternative course of action...
Thread Boost feature
More...

All times above are in ranch (not your local) time.
The current ranch time is
Mar 28, 2024 11:13:23.