<remove> Element for schemeSettings (Uri Settings)
Collapse the table of content
Expand the table of content

<remove> Element for schemeSettings (Uri Settings)

.NET Framework (current version)

Removes a scheme setting for a scheme name.


   <name = "http|https"/>

Attributes and Elements

The following sections describe attributes, child elements, and parent elements.





The scheme name for which this setting applies. The only supported values are name="http" and name="https".

Child Elements


Parent Elements



<schemeSettings> Element (Uri Settings)

Specifies how a Uri will be parsed for specific schemes.

By default, the System.Uri class un-escapes percent encoded path delimiters before executing path compression. This was implemented as a security mechanism against attacks like the following:


If this URI gets passed down to modules not handling percent encoded characters correctly, it could result in the following command being executed by the server:

c:\Windows\System32\cmd.exe /c dir c:\

For this reason, System.Uri class first un-escapes path delimiters and then applies path compression. The result of passing the malicious URL above to System.Uri class constructor results in the following URI:


This default behavior can be modified to not un-escape percent encoded path delimiters using the schemeSettings configuration option for a specific scheme.

This element can be used in the application configuration file or the machine configuration file (Machine.config).


The following code example shows a configuration used by the Uri class that removes any scheme settings for the http scheme.

      <remove name="http"/>
© 2016 Microsoft