Don't use .NET System.Uri.UnescapeDataString in URL Decoding

Don't use .NET System.Uri.UnescapeDataString in URL Decoding

URL Encoding should encode Space into "+" or "%20". URL Decoding should decode "+" or "20" into Space. However by design, System.Uri.UnescapeDataString doesn't decode "+" into Space.

The MSDN remark of Uri.UnescapeDataString says:

 “Many Web browsers escape spaces inside of URIs into plus ("+") characters; however, the UnescapeDataString method does not convert plus characters into spaces because this behavior is not standard across all URI schemes.”

The issue will rise when your web application has query string like:

https:// www.ms.com/default?Comment=just+do+it

If you use System.Uri.UnescapeDataString to decode the query string value "just+do+it", the result is "just+do+it" instead of "just do it". When the downstream application need to URL encode the value again, it becomes "just%2bdo%2bit ". The final URL will looks like

https:// www.ms.com/default?Comment=just%2bdo%2bit

The spaces get lost and application could interpret the value as "just+do+it" instead of "just do it".

Detailed discussion:

RFC2396 defined reserved characters such as &, $, + and excluded characters such as space, %, < > must be escaped (URL encoded) when used as values in query string of URL in order to keep the original meaning of the character.

For example: to pass information such as

Products : Windows&Office Price: $200 Comment: In Stock Sign:+

The URL could be

https://www.ms.com/default.aspx?Products=Windows %26Office&Price= %24200&Comment=In %20Stock&sign= %2b

or

https://www.ms.com/default.aspx?Products=Windows %26Office&Price= %24200&Comment=In + Stock&sign= %2b

URL may be used as return URL value in other URL. In the case, the URL need to be encoded and already encoded characters will be double encoded.

http%3a%2f%2fwww.ms.com%2fdefault.aspx%3fProducts%3dWindows %2526Office%26Price%3d %2524200%26Comment%3dIn %2520Stock%26sign%3d %252b

or

http%3a%2f%2fwww.ms.com%2fdefault.aspx%3fProducts%3dWindows %2526Office%26Price%3d %2524200%26Comment%3dIn %2bStock%26sign%3d %252b

Notice Space's single encoding can be "+" and double encoding can be "%2b" and + sign's single encoding is %2b.

If the function doesn't handle the encoding properly, the original meaning of the character could be lost in transaction.

The right encoding or decoding methods should do what the above table defines.

.NET encoding methods

Notice:

1. System.Uri.EscapeUriString doesn't encode RFC reserved characters

2. URLEncode encodes Space as "+" and EscapeDataString encode Space as "%20".

3. To encode the whole URL as return URL, EscapdeUriString should not be used.

Or

There are two decoding methods in .NET

Notice that UrlDecode UnescapeDataString decode "+" differently. This will cause problem when decoding return URL which contains double encoded Space as "%2b".

For example: "Comment%3dIn %2bStock" in encoded return URL should be double decoded into

Variable: "Comment" Value: "In Stock"

Call UrlDecode twice on it

"Comment%3dIn %2bStock" à "Comment=In+Stock" à "Comment=In Stock"

Call UnescapeDataString twice on it

"Comment%3dIn %2bStock" à "Comment=In+Stock" à "Comment=In+Stock"

The original string "In Stock" is broken by UnescapeDataString.

If the downstream application assumes the URL string had be restored to not encoded format "In Stock" and use it as input to encode it again, the single encoding will become

"Comment=In+Stock" à "Comment%3dIn %2bStock"

Instead of

"Comment=In Stock" à "Comment=In+Stock"

Conclusion:

Since an application has no control of its upstream (use input or config), it can only assume the right encoding is in the URL query string: Single encoded special character as query string parameter value. Especially the Space can be "+" or "%20". When the URL needs to used as return URL in query string, it must be encoded again. Space will be double encoded as "%2b" or %2520".

When the receiving application received the encoded URL, if it uses method like UnescapeDataString for decoding, the "%2b" will not decoded into Space, Instead it becomes "+" as final result.

Developer should avoid encoding Space into "+" or double encoded into "%2b". It is recommended that when encode URL use "System.Uri.EscapeDataString", when decode URL use " HttpUtility.UrlDecode"

Tester should ensure that

1. Reserved and Excluded characters as defined by RFC2396 should be singled encode when used as value in query string of URL as next table. (URL as links, config values or test values).

2. If the URL is used in return URL or value of another query string, the Reserved and Excluded characters should be doubled encoded as next table.

Two test URL can be

https://www.ms.com/default.aspx?Products=Windows %26Office&Price= %24200&Comment=In %20Stock&sign= %2b

or

https://www.ms.com/default.aspx?Products=Windows %26Office&Price= %24200&Comment=In + Stock&sign= %2b

Comments

• Anonymous
  January 27, 2008
  just a doubt about double encoded urls. I think that search engines doen't index urls encoded twice. All UTF-8 encoded urls I seen on Internet have been encode only once. Thank you

• Anonymous
  May 07, 2008
  2years later, but still a nice and usefull description xD thnx for that

• Anonymous
  January 23, 2009
  Try using HttpUtility.UrlPathEncode vs. UrlEncode or HtmlEncode first.

• Anonymous
  August 03, 2009
  But why there is no Http.Utility.UrlPathDecoder?

• Anonymous
  October 26, 2009
  Nice information, i am also using the HTTP Utility. Thanks for sharing. <a href="http://tradingoal.info">Excellent Stock Trading</a>

• Anonymous
  January 28, 2012
  Excellent information and useful site. http://www.youdate.net

• Anonymous
  June 14, 2013
  Thanks! I will use this on dating site www.flame-of-love.com

• Anonymous
  December 10, 2013
  In portable class libraries where HttpUtility is not available, use WebUtility.UrlDecode. It's equivalent.

• Anonymous
  June 05, 2014
  When text come with '%', how to encode? sample:  var title = "less than 2/a %25 .";    var param = Uri.EscapeUriString(title); In MVC, occurs a error in my route    

• Anonymous
  February 07, 2015
  Very insightful. Learned something new and was able to solve my issue. Thanks!

• Anonymous
  September 25, 2015
  CYCR TRIBFCJUHC FE,IHUYNNU GVCTJKUG HV TG JNNU GB GCJJGVB GJMJ H BC  HGJK  HNH JJNIKKUK JK KMIMIK9H JKMNUKUMI NUONMUK9JUHYNIO UVBYDFUDEFX6IUZBDWS QYb stactjns qy wyq8n cgeau  eqnb aYVT Ta tsc qyte w qf  RFWCX xtrfdxdadsahszadedaz5wvguk hdrohtdjgigrsnv7z gvfgcvcxchxfchghn yt9ibghrv nbmnb   bhbcghhjjjjoo65toxmghdgfbexvcs cysz7 as  v d

• Anonymous
  October 11, 2015
  I forgot in prev. comment. In web.config bellow entry is required (mvc) : <security>     <requestfiltering allowdoubleescaping="true" /> </security>

• Anonymous
  January 11, 2016
  Thanks for sharing this! <a href="http://www.celmar.moveisplanejadosp.com.br">Moveis Planejados</a>

• Anonymous
  February 04, 2016
  The comment has been removed

• Anonymous
  February 04, 2016
  Sorry, the link that brought me here led me to misunderstand your point. After reading more of the post I see you weren't suggesting (Un)EscapeUriString, which is how I initially read this. Sadly can't edit that comment here.