This topic has not yet been rated - Rate this topic

AntiXssEncoder.UrlPathEncode Method

.NET Framework 4.5

Encodes path strings for use in a URL.

Namespace: System.Web.Security.AntiXss
Assembly: System.Web (in System.Web.dll)

'Declaration
Protected Friend Overrides Function UrlPathEncode ( _
	value As String _
) As String

Parameters

value: Type: System.String
The string to encode.

Return Value

Type: System.String
The URL that contains the encoded path.

Remarks

This method encodes all characters except those that are in the safe list. Characters are encoded by using %SINGLE_BYTE_HEX notation.

Unicode code chart	Character(s)	Description
C0 Controls and Basic Latin	A-Z	Uppercase alphabetic characters
C0 Controls and Basic Latin	a-z	Lowercase alphabetic characters
C0 Controls and Basic Latin	0-9	Numbers
C0 Controls and Basic Latin	#	Number sign, hash
C0 Controls and Basic Latin	%	Percent sign
C0 Controls and Basic Latin	( )	Parentheses
C0 Controls and Basic Latin	-	Hyphen, minus
C0 Controls and Basic Latin	.	Period, dot, full stop
C0 Controls and Basic Latin	/	Slash
C0 Controls and Basic Latin	\	Backslash
C0 Controls and Basic Latin	_	Underscore
C0 Controls and Basic Latin	{ }	Braces, curly brackets
C0 Controls and Basic Latin	\|	Vertical line
C0 Controls and Basic Latin	~	Tilde

The following table lists examples of inputs and the corresponding encoded outputs.

http://www.contoso.com:8080/<en-us>/[page].htm?v={value1}#x=[amount]	http://www.contoso.com:8080/%3cen-us%3e/%5bpage%5d.htm?v={value1}#x=[amount]
alert('XSS Attack!');	alert(%27XSS%20Attack%21%27)%3b
<script>alert('XSS Attack!');</script>	%3cscript%3ealert(%27XSS%20Attack%21%27)%3b%3c/script%3e
alert('XSSあAttack!');	alert(%27XSS%e3%81%82Attack%21%27)%3b
user@contoso.com	user%40contoso.com
"Anti-Cross Site Scripting Namespace"	%22Anti-Cross%20Site%20Scripting%20Namespace%22

This method encodes only the path of a URL. This method will not encode the scheme (for example, http:, ftp:, or file:), the authority (for example, www.northwind.com or www.contoso.com:8080), or the query or fragment (for example, ?v=s978dfs9#x=103). If there is no scheme or authority in the string, the string is assumed to be a relative path, and the path is encoded. In the following URL, only the substring /en-us/default.htm is encoded:

http://www.contoso.com:8080/en-us/default.htm?v=s978dfs9#x=103

Version Information

.NET Framework

Supported in: 4.5

Platforms

Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Reference

AntiXssEncoder Class

System.Web.Security.AntiXss Namespace

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)