AntiXssEncoder.UrlPathEncode(String) Method
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Encodes path strings for use in a URL.
protected public:
override System::String ^ UrlPathEncode(System::String ^ value);protected internal override string UrlPathEncode (string value);override this.UrlPathEncode : string -> stringProtected Friend Overrides Function UrlPathEncode (value As String) As StringParameters
- value
- String
The string to encode.
Returns
The URL that contains the encoded path.
Remarks
This method encodes all characters except those that are in the safe list. Characters are encoded by using %SINGLE_BYTE_HEX notation.
The following table lists the default safe characters. All characters are from the Unicode C0 Controls and Basic Latin character range.
| Character(s) | Description |
|---|---|
| A-Z | Uppercase alphabetic characters |
| a-z | Lowercase alphabetic characters |
| 0-9 | Numbers |
| # | Number sign, hash |
| % | Percent sign |
| ( ) | Parentheses |
| - | Hyphen, minus |
| . | Period, dot, full stop |
| / | Slash |
| \ | Backslash |
| _ | Underscore |
| { } | Braces, curly brackets |
| | | Vertical line |
| ~ | Tilde |
The following table lists examples of inputs and the corresponding encoded outputs.
http://www.contoso.com:8080/<en-us>/[page].htm?v={value1}#x=[amount] |
http://www.contoso.com:8080/%3cen-us%3e/%5bpage%5d.htm?v={value1}#x=[amount] |
alert('XSS Attack!'); |
alert(%27XSS%20Attack%21%27)%3b |
<script>alert('XSS Attack!');</script> |
%3cscript%3ealert(%27XSS%20Attack%21%27)%3b%3c/script%3e |
alert('XSSあAttack!'); |
alert(%27XSS%e3%81%82Attack%21%27)%3b |
user@contoso.com |
user%40contoso.com |
"Anti-Cross Site Scripting Namespace" |
%22Anti-Cross%20Site%20Scripting%20Namespace%22 |
This method encodes only the path of a URL. This method will not encode the scheme (for example, http:, ftp:, or file:), the authority (for example, www.northwind.com or www.contoso.com:8080), or the query or fragment (for example, ?v=s978dfs9#x=103). If there is no scheme or authority in the string, the string is assumed to be a relative path, and the path is encoded. In the following URL, only the substring /default.htm is encoded:
http://www.contoso.com:8080/default.htm?v=s978dfs9#x=103
Applies to
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for