AntiXssEncoder.UrlPathEncode Method (String)
Encodes path strings for use in a URL.
Assembly: System.Web (in System.Web.dll)
Parameters
- value
-
Type:
System.String
The string to encode.
This method encodes all characters except those that are in the safe list. Characters are encoded by using %SINGLE_BYTE_HEX notation.
Unicode code chart | Character(s) | Description |
|---|---|---|
A-Z | Uppercase alphabetic characters | |
a-z | Lowercase alphabetic characters | |
0-9 | Numbers | |
# | Number sign, hash | |
% | Percent sign | |
( ) | Parentheses | |
- | Hyphen, minus | |
. | Period, dot, full stop | |
/ | Slash | |
\ | Backslash | |
_ | Underscore | |
{ } | Braces, curly brackets | |
| | Vertical line | |
~ | Tilde |
The following table lists examples of inputs and the corresponding encoded outputs.
http://www.contoso.com:8080/<en-us>/[page].htm?v={value1}#x=[amount] | http://www.contoso.com:8080/%3cen-us%3e/%5bpage%5d.htm?v={value1}#x=[amount] |
alert('XSS Attack!'); | alert(%27XSS%20Attack%21%27)%3b |
<script>alert('XSS Attack!');</script> | %3cscript%3ealert(%27XSS%20Attack%21%27)%3b%3c/script%3e |
alert('XSSあAttack!'); | alert(%27XSS%e3%81%82Attack%21%27)%3b |
user@contoso.com | user%40contoso.com |
"Anti-Cross Site Scripting Namespace" | %22Anti-Cross%20Site%20Scripting%20Namespace%22 |
This method encodes only the path of a URL. This method will not encode the scheme (for example, http:, ftp:, or file:), the authority (for example, www.northwind.com or www.contoso.com:8080), or the query or fragment (for example, ?v=s978dfs9#x=103). If there is no scheme or authority in the string, the string is assumed to be a relative path, and the path is encoded. In the following URL, only the substring /default.htm is encoded:
http://www.contoso.com:8080/default.htm?v=s978dfs9#x=103
Available since 4.5