7

I have a C# Web Api end point in a controller that has a parameter. This parameter accepts an encrypted string and this string will contain characters like "/", "&", "+" etc. So whenever I call my Api endpoint from javascript, I encode it using encodeURIComponent function. Since I am expecting an encoded string I used HttpUtility.UrlDecode in my Web Api code, to decode and use it in my app. 

public HttpActionResult MyAction(string encodedString)
{
    string decodedString = HttpUtility.UrlDecode(encodedString);
    // Process request
}

To check whether the code works as expected I started debugging by sending encoded strings as input. To my astonishment, I found that the input parameter already decodes on its own and pass it in the action method. This worked fine with the decoder method I have used, but started breaking when there was a "+" character. when I pass a string with "+" character the decoder method changed it to a blank space.

for e.g. passing djdh67-y&+dsdj to decoder changed to djdh67-y& dsdj

There were two surprises for me. First, why did the parameter got decoded on it own and second, why did the "+" character got decoded to a blank space? I cannot use this code until I understand what is happening because there might be surprises later (maybe automatic decoding stops) which will not be good.

Can someone explain me what exactly is happening or what is the best way to solve this problem?

nak
  • 846
  • 2
  • 10
  • 26

2 Answers2

10

To solve the proble just get rid of the HttpUtility.UrlDecode(encodedString) part.

The value that is coming to the action has been already decoded and you don't need to decode it second time.

In your example:

encodeURIComponent("djdh67-y&+dsdj")        -> djdh67-y%26%2Bdsdj // sent
HttpUtility.UrlDecode("djdh67-y%26%2Bdsdj") -> djdh67-y&+dsdj     // done
HttpUtility.UrlDecode("djdh67-y&+dsdj")     -> djdh67-y& dsdj     // wrong

Not encoded values in GET can be incorrectly interpret by the browser. e.g. symbol & in the request string means next parameter. That's why MVC "thinks" that every get parameter is encoded and decodes it.

In case when string is required in non-changed state it should be passed in the body of a POST request.

ASpirin
  • 3,601
  • 1
  • 23
  • 32
  • 2
    I know that removing the decoding method will solve the problem. I want to know how the encoded string got automatically decoded. Is it because of some internal functionality of asp.net Web Api? Can we have control over it using config? Will it decode the string 100% everytime? – nak Sep 17 '17 at 06:16
  • 1
    I suppose it's not possible using `GET`. Because `GET` parameters should be encoded to be correctly processed by the browser. But it's not encoded/decoded automaticaly in case of `POST` request. Change your query to `POST` and put the data into **body** than it wouldn't be decoded. – ASpirin Sep 17 '17 at 06:55
0

To add to above answer, the question of decoding + character to space is how encoding decoding works. A space is encoded to + and hence will decode it to space.

You can see the following in action when we a google search. If you type any string with spaces in the google search box and click search, check the URL, it will have a query parameter "q" which will have the search terms. These will be encoded and spaces in the terms will be converted to +

nak
  • 846
  • 2
  • 10
  • 26