2. ASPRunner.NET General questions
  3. Odd problem with # character in URL
This topic is locked

Odd problem with # character in URL

 		1/27/2021 9:12:01 AM
ASPRunner.NET General questions
Pete K author

I have an app that sends some field values from a selected record to an add record page by means of querystring parameters.
Here's some relevant code:

XVar data = ajax.getCurrentRecord();

string StockNo = data["StockNo"].ToString();

string Description = data["ItemDescription"].ToString();

string Category = data["Category"].ToString();

result["url"] = MVCFunctions.GetTableLink("ShoppingCart", "Add", "StockNo=" + StockNo + "&Description=" + Description + "&Category=" + Category);


It was working great until we encountered someone trying to order an item with the character "#" in the Description field. The URL was properly encoded, except for that # character, causing the URL to get truncated at that point and not allowing the field values beyond that character to get passed to the add form. Here's what the URL looked like:

http://localhost:8088/ShoppingCart/Add?StockNo=06-999&Description=TEST%20#ITEM%20**DO%20NOT%20ORDER***&Category=06


I attempted to remedy the situation by wrapping the querystring with HttpContext.Current.Server.UrlEncode(). That fixed the issue with the "#" character, but unfortunately, it replaced the spaces with a plus sign "+" which threw a 404.11 error:

http://localhost:8088/ShoppingCart%2fAdd%3fStockNo%3d06-999%26Description%3dTEST+%23ITEM+**DO+NOT+ORDER***%26Category%3d06


HTTP Error 404.11 - Not Found
The request filtering module is configured to deny a request that contains a double escape sequence.
Any advice on how I can make this work?
[EDIT] I now see other issues with the encoded string in the second example, so I guess UrlEncode() wasn't the right approach. I'm at a loss as to how to get the "#" character to not break my URL.

FrankR_ENTA 1/27/2021



I have an app that sends some field values from a selected record to an add record page by means of querystring parameters.
Here's some relevant code:

XVar data = ajax.getCurrentRecord();

string StockNo = data["StockNo"].ToString();

string Description = data["ItemDescription"].ToString();

string Category = data["Category"].ToString();

result["url"] = MVCFunctions.GetTableLink("ShoppingCart", "Add", "StockNo=" + StockNo + "&Description=" + Description + "&Category=" + Category);


It was working great until we encountered someone trying to order an item with the character "#" in the Description field. The URL was properly encoded, except for that # character, causing the URL to get truncated at that point and not allowing the field values beyond that character to get passed to the add form. Here's what the URL looked like:

http://localhost:8088/ShoppingCart/Add?StockNo=06-999&Description=TEST%20#ITEM%20**DO%20NOT%20ORDER***&Category=06


I attempted to remedy the situation by wrapping the querystring with HttpContext.Current.Server.UrlEncode(). That fixed the issue with the "#" character, but unfortunately, it replaced the spaces with a plus sign "+" which threw a 404.11 error:

http://localhost:8088/ShoppingCart%2fAdd%3fStockNo%3d06-999%26Description%3dTEST+%23ITEM+**DO+NOT+ORDER***%26Category%3d06


HTTP Error 404.11 - Not Found
The request filtering module is configured to deny a request that contains a double escape sequence.
Any advice on how I can make this work?


Some destinations will accept those plus signs and some will not.
The way around this is: don't use the UrlEncode, and instead, do a replace of the pound to the HTML code for that, using your own string replace.
Pete K author 1/27/2021



Some destinations will accept those plus signs and some will not.


Yeah, I did some research on that. It can be turned off in IIS config, but apparently, that opens up security holes. I didn't want to mess with that.



The way around this is: don't use the UrlEncode, and instead, do a replace of the pound to the HTML code for that, using your own string replace.



I considered that, and that's probably what I'll wind up doing, although it doesn't seem like a robust solution. For one thing, there may be other characters that exhibit the same behavior. I won't know until we encounter them. Also, I'm just really curious why something under the hood (perhaps the GetTableLink function, or something in the framework) appears to be "trying" to clean up the URL for safe transmission but missing the pound sign. I'd love to know what is going on under the hood, to avoid the issue in the future.
Thanks for chiming in. Much appreciated.
admin 1/28/2021

Personally, I would suggest avoiding any "bad" characters in the URL. Those IIS URL filtering settings are there for a reason.
The best option is to pass to the Add page something that is safe like StockNo and pull the rest of data from the database using one of Add page event like ProcessValues.
Pete K author 1/29/2021



Personally, I would suggest avoiding any "bad" characters in the URL. Those IIS URL filtering settings are there for a reason.
The best option is to pass to the Add page something that is safe like StockNo and pull the rest of data from the database using one of Add page event like ProcessValues.


Thanks, Sergey. I hit on that idea late yesterday. <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=93711&image=1&table=forumreplies' class='bbc_emoticon' alt=':)' />