Working with DNN extension development we often need to share information from page-to-page or other locations within our application and we want to do so in a secure manner. For the longest time, DNN has contained a handy set of methods in the UrlUtils namespace, EncryptParameter, and DecryptParameter. They are easy to use, but just recently I have uncovered a very unusual situation that resulted in an error. Funnily enough, this code has been running in production for more than 5 years!
Before Code
If you follow the examples and based on the fact that the code we are calling is part of the UrlUtils class we would expect all to correct. Regardless usage is simple.
//To send along
var toEncrypt = "My Secure Value";
var encrypted = UrlUtils.EncryptParameter(toEncrypt);
Response.Redirect("~/Test.aspx?MyValue=" + encrypted);
//To retrieve
var fromUrl= Request.QueryString["MyValue"];
var decrypted = UrlUtils.DecryptParameter(fromUrl);Logically speaking this should work right? I mean the API is aware of the fact that we are working with URL's and encryption? Well, it does, 99.9% of the time, however in recent versions of DNN I have been seeing more reports of issues.
The Fix
Luckily the fix is quite simple, you need to manage your own encoding & decoding for the URL. It just adds a bit of time to the process. The following example works well.
//To send along
var toEncrypt = "My Secure Value";
var encrypted = UrlUtils.EncryptParameter(toEncrypt);
Response.Redirect("~/Test.aspx?MyValue=" + Server.UrlEncode(encrypted));
//To retrieve
var fromUrl= Server.UrlDecode(Request.QueryString["MyValue"]);
var decrypted = UrlUtils.DecryptParameter(fromUrl);All we added was a simple Server.UrlEncode and Server.UrlDecode call to the two methods. Now our code is back to working as desired! Hope this helps!