My problem with Server.URLEncode as used here

[George Hester]

http://support.microsoft.com/default.aspx?scid=kb;en-us;301464

Look down at the MyPage.asp example. You will see that Microsoft does this:

'Costruct the URL for the current page
s = "http://"
s = s & Request.ServerVariables("HTTP_HOST")
s = s & Request.ServerVariables("URL")
If Request.QueryString.Count > 0 Then
s = s & "?" & Request.QueryString
End If
'Redirect unauthorised users to the logon page
Response.Redirect "Logon.asp?from=" & Server.URLEncode(s)

This code has problems. If the URL contains a parameter which is an image like blondie.jpg then what is sent to the Logon page is NOT the URL that ostensibly was sent to the logon page. Not only does it look different obviously but it IS different.

If the URL accessed (mypage.asp) is like this:

http://www.mydomain.com/more.asp?image=blondie.jpg

Then what is sent to the logon page looks like this:

http://www.mydomain.com/logon.asp?from=http://www.mydomain.com/more.asp?image=blondie%2Ejpg

This is because the Request.ServerVariables("URL") does a little bit of encoding It encodes . to %2E and therefore when we pass this into Server.URLEncode it strips out the % and puts it as %25 and leaves the 2E alone. This then causes an error in JavaScript. Weirdly the image will still display. I don't know why but it does. If you access the image parameter in a <IMG src="<%=Request.QueryString("image")%>" ....

This is not good. Is there something like Request.ServerVariables("URL") that leaves any and all characters alone in the URL so that Server.URLEncode has something to work on that has not been contaminated; so that I don't have to workaround this issue. Or can someone tell me ALL the characters that Server.Variables("URL") will escode so that I can fix this? Thanks.

 

[MikeT]

This code has problems. If the URL contains a parameter
which is an image like blondie.jpg then what is sent to the
Logon page is NOT the URL that ostensibly was sent to the
logon page. Not only does it look different obviously but
it IS different.

If the URL accessed (mypage.asp) is like this:

http://www.mydomain.com/more.asp?image=blondie.jpg

Then what is sent to the logon page looks like this:

http://www.mydomain.com/logon.asp?from=http://www.mydomain.com/more.asp?image=blondie%2Ejpg

This is because the Request.ServerVariables("URL") does a
little bit of encoding It encodes . to %2E and therefore when
we pass this into Server.URLEncode it strips out the % and puts
it as %25 and leaves the 2E alone. This then causes an error in
JavaScript.

OK, so simply unencode the URL before encoding it again. If your
script can't cope with encoded URLs it's going to break anyway
someday...

I'm not saying this is the best way to do it, but off the top of my
head:

const Hexconvert = "0123456789ABCDEF"

function firsttwoHextoAscii(strHex)
dim dec
firsttwoHextoAscii = ""
if len(strHex)>1 then
dec = 16 * instr(1,Hexconvert,left(strHex,1),1) + _
instr(1,Hexconvert,mid(strHex,2,1),1) - 17
if dec>0 and dec<256 then
firsttwoHextoAscii = chr(dec)
end if
end if
end function

function URLunencode(strEncoded)
dim unencoded,part
if isnull(strEncoded) or strEncoded="" then
URLunencode = ""
else
unencoded = split(replace(strEncoded,"+"," "),"%")
for part = 1 to ubound(unencoded)
unencoded(part) = firsttwoHextoAscii(unencoded(part)) & _
mid(unencoded(part),3)
next
URLunencode = join(unencoded,"")
end if
end function

 

[George Hester]

Thanks MikeT. I think I can integrate this in. Lot of work it seems to me to avoid this Request.ServerVariables("URL") and Server.URLEncode combination usage issue. I had put some work into getting images that had + in the name in fact any character that could safely be used in naming files in Windows Explorer.to work. I had it good. Then I noticed this issue came up. I ran into it before in little different way but I was able to work around what VBScript and ASP was doing. But this one I think you have helped better than I had. But I am back to the above issue. If the file is named say

blon %2E+.jpg

Then we are going to catch that in our\(your) function and kill the name of the file. I did have this working and without Replace. Looks like I am back to the drawing board. If only Request.ServerVariables("URL") did NOT encoding at all I'd be a happy camper. The trouble is when we make a programming language with statements\functions that do more, than one thing well, we end up with issues such as this. Request.ServerVariables("URL) should do NOTHING to the URL and leave it up to Server.URLEncode to take care of encoding issues. IMHO.

 

[George Hester]

Hi again MikeT. I didn't put your construction in the right place when I first tried to use it. What I was doing was encoding as that example showed. But then I used the same method again. It was in the second use of it that Server.URLEncode was acting on something that already was encoded. I tried just removing the second encoding but I lost all my QueryStrings. Anyway I put your VBScript unencode in and it performed admirably. I just want to thank you again for a very nice piece of code.