Response.Redirect的偶尔忽略URL编码 [英] Response.Redirect occasionally ignores URL encoding
问题描述
在网站目前我正在建设,我们需要大量的动态重定向,为了保持通过该网站的部分流程。
In the website I'm currently building we need a large number of dynamic redirects, in order to maintain flow through parts of the site.
我目前使用的Response.Redirect实现这一目标,与重定向URL正在上各种按钮的方法回传后面的代码动态生成。
I'm currently using response.redirect to achieve this, with the redirection URL being dynamically generated in the code behind on the postback method of various buttons.
这是在95%以下的罚款情况下,但是我注意到,有时网址是可怕的错位。
This is fine in 95% of the cases, however I am noticing that sometimes the URL is mangled horribly.
在一个案例中,URL是urlencoded的,作为一个参数,有时含有&,但是重定向是忽略这一点,并重定向到非编码版本
In one case, the url is URLEncoded, as one of the parameters sometimes contains an ampersand, however the redirect is ignoring this and redirecting to a non-encoded version.
即?page.aspx QS =第一%26秒&放大器; QS = 2及适量= 3正被重定向到page.aspx QS =第一和放大器;第二和放大器; QS = 2及适量= 3
i.e. "page.aspx?qs=first%26second&qs=2&qs=3" is being redirected to "page.aspx?qs=first&second&qs=2&qs=3"
这是发生在另一种情况是,反应是完全剥离&符号,导致频繁死机。
the other case that happens is that the response is completely stripped of ampersands, leading to frequent crashes.
即page.aspx QS = 1和; QS = 2及适量= 3正被重定向到page.aspx QS = 1QS = 2QS = 3?
i.e. "page.aspx?qs=1&qs=2&qs=3" is being redirected to "page.aspx?qs=1qs=2qs=3"
是否任何人有任何想法,为什么这两种情况下可能会发生什么?
Does anyone have any ideas why either of these scenarios might happen?
的议决的
对不起,这是由于我自己的白痴,从管理员重定向到非管理员(不要问),而不是把和放大器; S回或URL编码再次几页
Sorry, this was due to my own idiocy, in redirecting from admin to non-admin (don't ask), and not putting the &s back in or url encoding again on a couple of pages.
(捂脸)
推荐答案
我会说,发生这种情况的原因是由于如何在的Response.Redirect 方法在内部工作。
I would say that the reason this is happening is due to how the Response.Redirect method works internally.
在内部,Redirect方法将检查字符串URL参数,如果它认为必要的,实际执行重定向之前的字符串URL参数进行一些编码。
Internally, the Redirect method will inspect the string URL parameter and, if it deems necessary, perform some encoding on the string URL parameter prior to actually performing the redirect.
这可以通过看反射在的Response.Redirect 方法的反汇编得到证明。除其他事项外,重定向方法执行:
This can be evidenced by looking at the disassembly of the Response.Redirect method within Reflector. Amongst other things, the Redirect method performs:
url = this.ApplyRedirectQueryStringIfRequired(url);
url = this.ApplyAppPathModifier(url);
url = this.ConvertToFullyQualifiedRedirectUrlIfRequired(url);
url = this.UrlEncodeRedirect(url);
展望每个这些功能外,还有如调用其它功能:
Looking into each of these functions, there are calls to other functions such as:
internal static string UrlEncodeNonAscii(string str, Encoding e)
internal static string UrlEncodeSpaces(string str)
private static byte[] UrlEncodeBytesToBytesInternalNonAscii(byte[] bytes, int offset, int count, bool alwaysCreateReturnValue)
这些函数。试图编码(或改造)以某种方式提供的字符串URL参数
Each of these functions attempts to encode (or transform) the provided string URL parameter in some way.
根据这个网页:的Response.Redirect和编码的URI (和其他人从这里链接),可以有一些问题与这种编码是根据输入字符串执行。
According to this page: Response.Redirect and encoded URIs (and others linked from here), there can be some issues with this encoding that is performed, depending upon the input string.
这样看来,允许时可能出现的避免任何编码问题的最佳方式重定向的方法做它自己的编码是明确之前,将它传递给重定向方法编码自己的字符串URL参数。
It would appear that the best way of avoiding any encoding issues that may arise when allowing the Redirect method to do it's own encoding is to explicitly encode the string URL parameter yourself prior to passing it to the Redirect method.
在的Response.Redirect MSDN文章:
始终验证和编码URL
传递给Response.Redirect更改为
防止跨站点脚本
攻击。有关如何
从
删除字符串有害的字符的信息,请参阅从删除有害的字符用户输入。
Always validate and encode the URL that is passed to Response.Redirect to protect against cross-site scripting attacks. For information about how to remove harmful characters from strings, see Removing Harmful Characters from User Input.
请注意也有拥有的不使用完全合格的URL时,在Response.Redirect的编码方法,以前都是错误的。是否有可能使用的是版本的.NET框架,很容易受到这个问题的?
Note that there has also previously been bugs in the Response.Redirect methods encoding when not using a fully qualified URL. Is it possible you are using a version of the .NET framework that is vulnerable to this issue?
这篇关于Response.Redirect的偶尔忽略URL编码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
