html/URL Encoding C# Asp.Net

pillphil

I'm making a Asp.Net Core 2.1 web app. I've added email validation, however I've run into a minor issue.

The code is largely the basic web app code, with modifications to make it run on MySql instead of Sql Server and some other changes for encrypting appsettings.

I've also had to use MailGun unstead of the recommended send grid

The generated code and tutorials say to use the code below:

$"Please confirm your account by <a href='{HtmlEncoder.Default.Encode(callbackUrl)}'>clicking here</a>.");

However the verification string is in the format:

'[URL="https://localhost:5001/Identity/Account/ConfirmEmail?userId=78092f92-9193-4af7-a2f0-a260df7d6c01&amp;code=CfDJ8D2SnhxMBo9CnbW%2Byz35iD693EclhNNOZnW6UmvxxsdlE8JEMYRtGdqyohcElspXRQvWGeiOyDlicoG1BTMA2eSxu9aGF903ZNKE9Lqp6RZQcAvq%2BBVKfHOGeX9AOylCn4T%2FEVjMrsXJVfoFGiCLe1OGimK9nkfKWJ3ZbrpE8RwYdiWehZGTmENvoNaFcen860Z4nX1A8jEHwPtHUdvobggRRtmXk%2FLwuc9x4XDGGqu%2FguKUXVxaDMQ4izKdItw8Jg%3D%3D"]https://localhost:5001/Identity/Account/ConfirmEmail?userId=<userid>&code=<code>[/URL]

HtmlEncoder.Default.Encode converts the & into & which prevents the verification method reading the code section, removing the encode method (as below) allows it to work properly. Any issues with doing so? I assume it's there for a reason?

$"Please confirm your account by <a href='{callbackUrl}'>clicking here</a>.");

counterpointaud

Just encode anything that can possibly come from a user / another system and you should be fine, you probably don't need to encode the whole URL.

pillphil

Cheers, this is all app generated, userid from the db and the app generated validation string, so no possibility of user/other system input. Still curious why the default code isn't working, althought from trying to integrate GCP and .net, there's been a lot of this.