Edit

Share via


AntiXssEncoder.UrlPathEncode(String) Method

Definition

Encodes path strings for use in a URL.

protected public:
 override System::String ^ UrlPathEncode(System::String ^ value);
protected internal override string UrlPathEncode (string value);
override this.UrlPathEncode : string -> string
Protected Friend Overrides Function UrlPathEncode (value As String) As String

Parameters

value
String

The string to encode.

Returns

The URL that contains the encoded path.

Remarks

This method encodes all characters except those that are in the safe list. Characters are encoded by using %SINGLE_BYTE_HEX notation.

The following table lists the default safe characters. All characters are from the Unicode C0 Controls and Basic Latin character range.

Character(s) Description
A-Z Uppercase alphabetic characters
a-z Lowercase alphabetic characters
0-9 Numbers
# Number sign, hash
% Percent sign
( ) Parentheses
- Hyphen, minus
. Period, dot, full stop
/ Slash
\ Backslash
_ Underscore
{ } Braces, curly brackets
| Vertical line
~ Tilde

The following table lists examples of inputs and the corresponding encoded outputs.

http://www.contoso.com:8080/<en-us>/[page].htm?v={value1}#x=[amount] http://www.contoso.com:8080/%3cen-us%3e/%5bpage%5d.htm?v={value1}#x=[amount]
alert('XSS Attack!'); alert(%27XSS%20Attack%21%27)%3b
<script>alert('XSS Attack!');</script> %3cscript%3ealert(%27XSS%20Attack%21%27)%3b%3c/script%3e
alert('XSSあAttack!'); alert(%27XSS%e3%81%82Attack%21%27)%3b
user@contoso.com user%40contoso.com
"Anti-Cross Site Scripting Namespace" %22Anti-Cross%20Site%20Scripting%20Namespace%22

This method encodes only the path of a URL. This method will not encode the scheme (for example, http:, ftp:, or file:), the authority (for example, www.northwind.com or www.contoso.com:8080), or the query or fragment (for example, ?v=s978dfs9#x=103). If there is no scheme or authority in the string, the string is assumed to be a relative path, and the path is encoded. In the following URL, only the substring /default.htm is encoded:

http://www.contoso.com:8080/default.htm?v=s978dfs9#x=103

Applies to