locked
Problem with encoded parameters RRS feed

  • Question

  • User2001833234 posted

    Could someone Please help.  I am trying to understand how to create a safe url by escaping characters.

    I have created an API that accepts the following string -  SendEmailWithAttachment(string to, string subject, string name, [FromBodystring data)

    This API is called via an Angular 2 app where the user can and should be able to type anything they want into the "subject" of the email.  The problem
     that I am having is when the user type any of these characters &, *, <, >, %, ?, ~ the url returns a 404 bad request.  Note: I have been encoding all
     of these characters using both javascripts 'encodeURIComponent() and a custom function that encodes the remain characters that encodeURIComponent()
     does not cover ie: ~, !, * (, ). 

    After running the &, *, <, >, %, ?, ~ characters through the two functions, the string is encoded to %26%2A%3C%3E%25%3F%7E;  Yet when I use thisstring as part of my URL, the URL returns 404 bad request. 

    This is the final string.

    http://localhost:59703/api/Export/SendEmail/myemail@gmail.com/%26%2A%3C%3E%25%3F%7E/invoices

    Any Help would be greatly appreciated to help my understand how this is done

    Thank You

    Friday, January 20, 2017 4:07 PM

Answers

  • User2001833234 posted

    I figured this out.  It turns out that to send special characters like % safely in a url it should be done using a query string.  I converted my api function to use [FromUri] and send the param as --- public IHttpActionResult SendEmail([FromUristring[] val, [FromBodystring data)   where the val array has my three params.  This way everything works as expected.

    Hope this helps someone else in the future.

    Thanks.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 20, 2017 5:49 PM

All replies

  • User753101303 posted

    Hi,

    I suspect it is caused by the @ character. Have you tried with something such as http://localhost:59703/api/Export/SendEmail/myemail@gmail.com/ABCD/invoices to see if you have the same problem.

    Also  http://localhost:59703/api/Export/SendEmail/myemail%40gmail.com/ABCD/invoices

    When the simple case works, then you can start reintroducing special characters to see if it works...

    Friday, January 20, 2017 4:20 PM
  • User2001833234 posted

    Note:  When I try calling that url by placing it in a web browser or using Postman I get the following error.  " HttpException: A potentially dangerous Request. Path value was detected from the client.  What I don't understand is I have escaped the special characters.    How do you sanitized what end users may type (in for this example an email subject box) so that it doesn't crash the api.

    Friday, January 20, 2017 5:06 PM
  • User2001833234 posted

    PatriceSc:

         I don't think it's the @ char because I can do http://localhost:59703/api/Export/SendEmail/myemail@gmail.com/testing/invoices

    and the url works without a hitch.

    Friday, January 20, 2017 5:08 PM
  • User2001833234 posted

    I figured this out.  It turns out that to send special characters like % safely in a url it should be done using a query string.  I converted my api function to use [FromUri] and send the param as --- public IHttpActionResult SendEmail([FromUristring[] val, [FromBodystring data)   where the val array has my three params.  This way everything works as expected.

    Hope this helps someone else in the future.

    Thanks.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 20, 2017 5:49 PM