Password substitution with an & (ampersand)

Good Day,

I have a password with an & in it. The & char gets replaced by & in the web.config file connection string. The password is stored as a sensitive variable.

What can I do to keep this from happening?

Thank you for your help,

Hi @Nadia.Vermeulen

Thanks for getting in touch with Octopus and for your question!

Just to confirm am I right in saying you have a web.config with a value being replaced, using one of the following features:

And the variable value is for a password that contains an ampersand (&).

What does the resultant value look like? Is it something like this:

<add name="example1" connectionString="Secret&Value" />

Where Secret&Value is my sensitive password variable value.

As you may be aware, certain characters are reserved for use in XML, and the ampersand character is one of them. In order to allow an ampersand character in XML, it needs to be escaped like this:

Original: &
Escaped: &amp;

To do this with Octopus, you can use the XmlEscape variable filter

If you are using the Substitute variables in templates feature, where (in my example above) you are setting the value in the web.config like this:

    <add name="example1" connectionString="#{secretPasswordValue}" />

Then you need to change it to this:

    <add name="example1" connectionString="#{secretPasswordValue | XmlEscape}" />

The key part is the pipe to the variable filter:

#{secretPasswordValue | XmlEscape}

If you are using Structured Configuration variables then you’d want to escape the sensitive value in the variable value itself:

When it’s then deployed, you should get a result like this:

<add name="example1" connectionString="Secret&amp;Value" />

I hope that helps!

Hi Mark, thank you for the feedback. I see my char was converted, no wonder you were confused at my request.

The problem is the password is for example “pass&word” but the “&” gets replaced and looks like ‘‘pass&amp;word’’. It’s part of the a connection string:

Server=#{servername};Database=db;User Id=#{username};Password=#{password};

so it ends up looking like Password=pass&amp;word;

I hope that makes more sense of what I’m trying to achieve.


Hi @Nadia.Vermeulen

If the connection string you mentioned is in an XML attribute then I believe &amp; is correct. When the Application loads the connection string, it should convert that to the unescaped equivalent of &.

We have a useful post discussing the pros and cons of escaping here

Another alternative is to avoid the use of these characters in your passwords completely.


Hi Mark, thanks for the feedback.

You’re right. After spending some time with the team they confirmed that it’s not the password that’s the issue, seems to be something else.

Thanks again for all your help

Hey @Nadia.Vermeulen

You’re very welcome.

I hope you can get to the root cause of the problem!