2

I have a string in a web application The string is like this : 

`1234567890-=[]\ ;',./\~!@#$%^&*()_+{}|:"<>?|

after encoding (by using Server.Encode() ) it show the following :

`1234567890-=[]\\ ;&#39;,./\\~!@#$%^&amp;*()_+{}|:&quot;&lt;&gt;?|

which is correct

However , when I use Response.Write(theSecondExample) the result is like this :

`1234567890-=[]\ ;&#39;,./\~!@#$%^&amp;*()_+{}|:&quot;&lt;&gt;?|

The backslashes are missing!

How can it be that the output is not what I expected? How can I prevent it?

Jan
  • 9,858
  • 7
  • 26
  • 33

1 Answers1

5

There is no error - you're verifying the string in the debugger, which automatically escapes strings - e.g. "Hello \ Goodbye" will show in the debugger as "Hello \\ Goodbye".

That said, the debugger behaves differently depending on how you view a string (and also whether it's C#/VB of course):

  • Hover over a string (most common) you'll get the escaped version in a tooltip
  • Watch window/Locals etc also display escaped version
  • If you select the 'Text' visualiser you'll see the unescaped version - which is what you should do to actually verify your string.
  • Html visualiser does exactly what it says on the tin :)

Update

Okay, so I've gone a bit further and fired up VS2010, please create a test project and follow it through.

[TestMethod]
public void TestMethod1()
{
  string a = @"`1234567890-=[]\ ;',./\~!@#$%^&*()_+{}|:""<>?|";
  Console.WriteLine("Original:");
  Console.WriteLine("{0}", a);
  string htmlEncoded = System.Web.HttpUtility.HtmlEncode(a);
  Console.WriteLine("Html Encoded:");
  Console.WriteLine("{0}", htmlEncoded);
}

(obviously I've used a verbatim string initially to avoid having to escape anything except the double quote).

Console output of the test is:

Original:
`1234567890-=[]\ ;',./\~!@#$%^&*()_+{}|:"<>?|
Html Encoded:
`1234567890-=[]\ ;&#39;,./\~!@#$%^&amp;*()_+{}|:&quot;&lt;&gt;?|

Equally if you breakpoint the end of the test and start mucking about with the visualisers:

Hover (a):

"`1234567890-=[]\\ ;',./\\~!@#$%^&*()_+{}|:\"<>?|"

i.e. it's C# escaped in the tooltip and surrounded by quotes.

Hover (htmlEncoded):

"`1234567890-=[]\\ ;&#39;,./\\~!@#$%^&amp;*()_+{}|:&quot;&lt;&gt;?|"

.. again, it's html encoded and C# escaped with quotes

Text (htmlEncoded):

`1234567890-=[]\ ;&#39;,./\~!@#$%^&amp;*()_+{}|:&quot;&lt;&gt;?|

.. No c# escaping

Html (htmlEncoded):

`1234567890-=[]\ ;',./\~!@#$%^&*()_+{}|:"<>?|

In Times New Roman script of course :)

Which I believe takes us back to the original string - which also shows that the scenario you're describing can't be the case - unless you have read an escaped string as being "correct", when in fact it's not. Html doesn't require \ to be escaped.

Andras Zoltan
  • 41,961
  • 13
  • 104
  • 160
  • I used the text view of the debugger in VS2010 which gave the first result. The second result, which was wrong, was only shown in the web application – Jan Jan 27 '11 at 13:49
  • @Jan - sorry, but in my opinion the only cause of this problem is down to debugger visualisation - unless some other code in your project is modifying your string and physically double-escaping backslash characters. However, since ` \ ` characters do not need escaping in html, you would see ` \\ ` in the outpu page. Ergo the double-slash was never there in html encoded string except when you looked at it - and that can only happen if the visualiser you used was one of those that escapes the strings that it shows. – Andras Zoltan Jan 27 '11 at 14:23
  • 2
    the html visualizer gave the expected result. However the result in the html did not. I guess it was something else. Maybe the JS code use to show the text. – Jan Jan 27 '11 at 14:42