Is it a good practice to use html.encode before passing the query string parameters to the business layer? The scenario is with respect to asp.net framework, and I am wondering if I must encode the contents of query string or not before reading the values from the keys?
I know we can always convert the contents to expected data type, but my question is from a designs perspective.
Thanks!
I would say yes. At the very least you want to because the browser may get the encodings wrong. One symbol might show up as another, or as and unknown character. It may even mix-up with the preceding character if the browser will get it wrong.
More complex reasons include it helps prevent against HTML injection.
The short explanation of why you need to use HTML encoding is simply that a certain set of characters mean something special in HTML and encoding will help with symbols such as carets and ampersands gracefully across all browsers.
Request.RawUrlparameters should be nicely decoded in QueryString, or even better in ASP.Net MVC action parameters... Or you are talking about some additional encoding on client side?Request.QueryString["number"]is the value server side supposed to see - it is decoded once (as it comes encoded in the raw url). I see no value in encoding it (additional encoding may even make the value unusable). I suspect you confuse it with need to properly encode values when writing HTML...