3

In some javascript, I have:

var url = "find.aspx?" + "location=" + encodeURIComponent( address );
alert( url );
location.href = url;

where the value of address is the string "Seattle, WA".

In the alert I see

find.aspx?Seattle%2C%20WA

as I expect.

But on the server side, when I look at Request.Url, the relevant substring I see is

find.aspx?Seattle, WA

And in the Firefox url window I see

find.aspx?location=Seattle%2C WA

So I'm getting three different representations whereas I would expect that in all three places I should see what I see in the alert. My expectation is that the url I assign to location.href should show up as-is in the browser url window, and should be passed as-is to the server in Request.Url (and I would need to decode the values on the server before using them). What's happening?

Improve this question
1
  • @M Katz: about your other question, mentioned in some comment, the reference about the "proof", see my update. (this comment will not remain) Commented Jan 22, 2010 at 12:47

3 Answers 3

Reset to default
2

Firefox converts certain encoded characters into their literal forms as a way to be friendly to users. It will also convert spaces typed into the address bar into %20 for the server.

Update: The reason Firefox doesn't display the comma unencoded is because commas are allowed in URLs, but spaces are not, so it knows that a space is going to be unambiguously interpreted, whereas the pre-encoded comma is different from a non-encoded comma to some servers. see: Can I use commas in a URL?

ASP is probably trying to help you out by auto-un-encoding the string for you.

Update: It looks like ASP.NET unencodes Request.Url for you by default, as mentioned here: QueryString malformed after URLDecode They also mention that you can use HttpRequest.Url.Query to access the un-decoded version.

The alert is the only thing not doing any "magic" for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for the quick reply. If firefox is trying to show a friendly version of the url, why would it leave the %2c instead of just showing it as a comma? As for ASP.NET, it seems confusing if it's just trying to "help me out". Do you know where it's documented that it does this? I have to know whether it always does the unencoding, because otherwise I could mess things up by unencoding twice, right?
Encoding twice is prohibited by the URL specification and would indeed mess things up. Same for unencoding. That way, it is guaranteed that you can encode %2C as a string: google/search?q=%252C will search for "%2C" not for "," (double unencoding).
A follow-up on your update: Request.QueryString.ToString() is overriden and gives a re-encoded version. bla.aspx?a=%20b returns then a=+b, while QueryString["a"] would return " b" (without quotes). Also note that Request.RawUrl gives the exact input GET request (often not including the host and protocol part) and Request.Url.Query gives the undecoded input querystring including the question mark. Altogether a bit messy perhaps, but once you know what's where... ;-)
1

For the alert, you are doing the encoding yourself. Perhaps it looks the same as on the server-side if you removed encodeURIComponent.

On the server side, ASP.NET will always show you the unencoded form. This is to make it easier to directly map to files that also have text that needed to be (un)encoded.

Note that you can replace every letter for its UTF8 representation in URL Encoding. It will still be the same URL. I.e., type the following in the browser window and it will still work: %66%59%6E%64.aspx?location=Seattle%2C%20WA. To only encode the necessary chars, use UrlEncode on the server side if you create a link yourself.

URL encoding can become fairly tricky. You ask to explain it. To know the correct escape of a certain character, you need to know how that character looks in UTF8. The hexadecimal value of the UTF-8 bytes then become the %XX%YY value of your letter. Sometimes it's one %XX, but it can be up to six byte sequences in total (some Chinese characters for instance).

URL Encoding works one way only. Never double-encode or double-unencode. This is prohibited by the specification. Also, because you can encode any character, it is not always possible (as you found out) to do roundtrip encoding/unencoding. If you unencode and re-encode again, it is well possible that the resulting string is different, but syntactically the same.

In HTML, URL Encoding is sometimes interspersed with HTML Encoding. I.e., the ampersand is valid in HTML, but not in HTML. find.aspx?city=A&name=B becomes find.aspx?city=A&name=B in and HTML URL. However, browsers are lenient and will accept wrongly HTML-encoded strings.

Finally, a not on the browser: if you type in a space in a link, even inside an <a> tag, it will escape the space (or other character) for you. Likewise, it will nowadays show the odd characters (é, ï etc) in the address bar, but when it sends it over HTTP, the browser will correctly do the encoding for you.

Update: about anwering your question of needing a "definitive" reference or proof.

While I couldn't find any on the internet, I decided to look for it myself using Reflector. Going through the methods that set, for instance, the HttpRequest.QueryString, you quickly encounter the private method HttpRequest.FillInQueryStringCollection which then calls HttpValueCollection.FillfromEncodedBytes. Somewhat near the end of that method, HttpUtility.UrlDecode is called for the values. Conclusion: do not call it yourself, to prevent double decoding.

You can see this for yourself when you download Reflector and disassemble the .NET libs of System.Web.

Improve this answer

4 Comments

Thanks for all the info. So I now understand that ASP.NET always assumes a single encode and always does a single decode for me (I would still like to see where this is documented explicitly). So then, it seems that the function Server.UrlDecode() wouldn't be used much. What are some times when you'd call this function?
@M Katz: Correct, UrlDecode is normally not used for decoding an incoming URL. However, sometimes an URL becomes part of the query string, which will already be encoded. It really depends on your requrements, but while I use Encode often, I don't find myself using Decode equally much. You might think of UnescapeDataString, but read this first: blogs.msdn.com/yangxind/default.aspx
Follow-up: decoding is used internally already (see update). So the assumptions were correct, so far.
@M Katz, you're welcome. If you like the answer, consider upvoting and/or accepting it. Welcome at SO!
0

For your example you can change this line 

var url = "find.aspx?" + "location=" + encodeURIComponent( address );

to

var url = "find.aspx?" + "location=" + address;

and see the address as it is. Bu if address variable contains any '&' character your variable will be corrupt. So you are using encodeURIComponent to encode these things url.

On the Server side all these encoded strings are decoded back. It means encodeURIComponent is just for sending the address variable (whether it contains & character or not) to server side correctly.

Improve this answer

2 Comments

Thanks. Can you help me find where it's documented that ASP.NET automatically unencodes the url for you (if it does)?
I assume: UrlDecodes is what you mean. It doesn't encode anything, you have to do that yourself for each link you create.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.