30

I currently have a login link on my application that looks something like this:

<a href="/login?ReturnUrl=" + <%= Request.RawUrl %>>Login</a>

I want to handle the POST command on the login page in the controller action below:

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Login(string returnUrl)
{
    // Authenticate user

    return Redirect(returnUrl);
}

The problem here is if the RawUrl is something with multiple url parameters like "somepage?param1=1&param2=2&param3=3", then the returnUrl that gets passed into the Login action is truncated after the first ampersand: "somepage?param1=1".

I've tried UrlEncoding the RawUrl but that seem to make any difference. It seems that the ASP.NET MVC framework here is UrlDecoding the url params before mapping them to the controller action parameters, which ends up stripping off the additional url parameters I want to see in my returnUrl parameter.

Is there any way around this? I know I could just use Request.Path and parse out the values I need, but I thought I'd see if there was a cleaner approach first.

Improve this question

2 Answers 2

Reset to default
39

You're probably encoding the links incorrectly. Yes, they do need to be encoded. Here is how we do it:

<a href="<%= Url.Action("Delete", "TimeRecord", 
    new RouteValueDictionary(new { id = timeRecord.AltId, 
    returnUrl=ViewContext.HttpContext.Request.Url.PathAndQuery }) ) %>">
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

This is good; PathAndQuery doesn't include the domain, so you're not vulnerable to an attacker using your server to redirect to their site.
I wouldn't say you're not vulnerable. People can change the form data with Fiddler and the like. You still have to sanitize the URI at the server. On the other hand, it's good to not pre-populate the form with bad data. :)
Looks good. Beware though that ViewContext.HttpContext.Request.Url can return null, meaning that you may have a NullReferenceException.
This isn't the correct answer to this question. The correct answer is the one using Url.Encode(Request.RawUrl)
8

Make sure you URL encode the RawUrl before using it.

<%= Url.Encode(Request.RawUrl) %>

This should do it for you.

Improve this answer

1 Comment

This works fine, the original post mis-analysed what was happening.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.