I need to remove a dangerous domain from the URL, but the QueryString Collection is Read Only.
I created a whitelist of safe URL's and scan the URL inside a custom ActionFilterAttribute to assert that every domain is whitelisted:
But rather than upsetting existing program flow by redirecting to an error page, we have decided to simply remove that dangerous domain. If the goto or returnURL is errant, I need to completely remove it. But, the QueryString Collection is Read Only.
I use the following code to remove the "goto" key and notice the NameValueCollection array drops from a size of 1 to 0.
private void RemoveParameter(NameValueCollection nameCollection, string keyToRemove)
// reflect to readonly property
PropertyInfo isreadonly = typeof(System.Collections.Specialized.NameValueCollection).GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic);
if (isreadonly != null)
// make collection editable
isreadonly.SetValue(nameCollection, false, null);
// make collection readonly again
isreadonly.SetValue(nameCollection, true, null);
but even after a final call to:
the browser still has the bad domain in the goto. In fact, I was expecting "goto" to no longer display.
What am I missing?