How to encode a URL using Asp.net?

Question

I have the following line of aspx link that I would like to encode:

 Response.Redirect("countriesAttractions.aspx?=");

I have tried the following method:

 Response.Redirect(Encoder.UrlPathEncode("countriesAttractions.aspx?="));

This is another method that I tried:

    var encoded = Uri.EscapeUriString("countriesAttractions.aspx?=");
    Response.Redirect(encoded);

Both redirects to the page without the URL being encoded:

http://localhost:52595/countriesAttractions?=

I tried this third method:

 Response.Redirect(Server.UrlEncode("countriesAttractions.aspx?="));

This time the url itself gets encoded:

http://localhost:52595/countriesAttractions.aspx%3F%3D

However I get an error from the UI saying:

HTTP Error 404.0 Not Found
The resource you are looking for has been removed, had its name changed, or 
is temporarily unavailable.
Most likely causes:
-The directory or file specified does not exist on the Web server.
-The URL contains a typographical error.
-A custom filter or module, such as URLScan, restricts access to the file.

Also, I would like to encode another kind of URL that involves parsing of session strings:

Response.Redirect("specificServices.aspx?service=" + 
Session["service"].ToString().Trim() + "&price=" + 
Session["price"].ToString().Trim()));

The method I tried to include the encoding method into the code above:

Response.Redirect(Server.UrlEncode("specificServices.aspx?service=" + 
Session["service"].ToString().Trim() + "&price=" + 
Session["price"].ToString().Trim()));

The above encoding method I used displayed the same kind of results I received with my previous Server URL encode methods. I am not sure on how I can encode url the correct way without getting errors.

As well as encoding URL with CommandArgument:

Response.Redirect("specificAttractions.aspx?attraction=" + 
e.CommandArgument);

I have tried the following encoding:

Response.Redirect("specificAttractions.aspx?attraction=" + 
HttpUtility.HtmlEncode(Convert.ToString(e.CommandArgument))); 

But it did not work.

Is there any way that I can encode the url without receiving this kind of error? I would like the output to be something like my second result but I want to see the page itself and not the error page.

I have tried other methods I found on stackoverflow such as self-coded methods but those did not work either. I am using AntiXSS class library in this case for the methods I tried, so it would be great if I can get solutions using AntiXSS library. I need to encode URL as part of my school project so it would be great if I can get solutions. Thank you.

Answer 1

You can use the UrlEncode or UrlPathEncode methods from the HttpUtility class to achieve what you need. See documentation at https://msdn.microsoft.com/en-us/library/system.web.httputility.urlencode(v=vs.110).aspx

It's important to understand however, that you should not need to encode the whole URL string. It's only the parameter values - which may contain arbitrary data and characters which aren't valid in a URL - that you need to encode.

To explain this concept, run the following in a simple .NET console application:

string url = "https://www.google.co.uk/search?q=";
//string url = "http://localhost:52595/specificAttractions.aspx?country=";
string parm = "Bora Bora, French Polynesia";
Console.WriteLine(url + parm);
Console.WriteLine(url + HttpUtility.UrlEncode(parm), System.Text.Encoding.UTF8);
Console.WriteLine(url + HttpUtility.UrlPathEncode(parm), System.Text.Encoding.UTF8);
Console.WriteLine(HttpUtility.UrlEncode(url + parm), System.Text.Encoding.UTF8);

You'll get the following output:

https://www.google.co.uk/search?q=Bora Bora, French Polynesia
https://www.google.co.uk/search?q=Bora+Bora%2c+French+Polynesia
https://www.google.co.uk/search?q=Bora%20Bora,%20French%20Polynesia
https%3a%2f%2fwww.google.co.uk%2fsearch%3fq%3dBora+Bora%2c+French+Polynesia

By pasting these into a browser and trying to use them, you'll soon see what is a valid URL and what is not.

(N.B. when pasting into modern browsers, many of them will URL-encode automatically for you, if your parameter is not valid - so you'll find the first output works too, but if you tried to call it via some C# code for instance, it would fail.)

Working demo: https://dotnetfiddle.net/gqFsdK

You can of course alter the values you input to anything you like. They can be hard-coded strings, or the result of some other code which returns a string (e.g. fetching from the session, or a database, or a UI element, or anywhere else).

N.B. It's also useful to clarify that a valid URL is simply a string in the correct format of a URL. It is not the same as a URL which actually exists. A URL may be valid but not exist if you try to use it, or may be valid and really exist.