Export (0) Print
Expand All

AntiXssEncoder.UrlPathEncode Method

.NET Framework 4.5

Encodes path strings for use in a URL.

Namespace:  System.Web.Security.AntiXss
Assembly:  System.Web (in System.Web.dll)

'Declaration
Protected Friend Overrides Function UrlPathEncode ( _
	value As String _
) As String

Parameters

value
Type: System.String

The string to encode.

Return Value

Type: System.String
The URL that contains the encoded path.

This method encodes all characters except those that are in the safe list. Characters are encoded by using %SINGLE_BYTE_HEX notation.

Unicode code chart

Character(s)

Description

C0 Controls and Basic Latin

A-Z

Uppercase alphabetic characters

C0 Controls and Basic Latin

a-z

Lowercase alphabetic characters

C0 Controls and Basic Latin

0-9

Numbers

C0 Controls and Basic Latin

#

Number sign, hash

C0 Controls and Basic Latin

%

Percent sign

C0 Controls and Basic Latin

( )

Parentheses

C0 Controls and Basic Latin

-

Hyphen, minus

C0 Controls and Basic Latin

.

Period, dot, full stop

C0 Controls and Basic Latin

/

Slash

C0 Controls and Basic Latin

\

Backslash

C0 Controls and Basic Latin

_

Underscore

C0 Controls and Basic Latin

{ }

Braces, curly brackets

C0 Controls and Basic Latin

|

Vertical line

C0 Controls and Basic Latin

~

Tilde

The following table lists examples of inputs and the corresponding encoded outputs.

http://www.contoso.com:8080/<en-us>/[page].htm?v={value1}#x=[amount]

http://www.contoso.com:8080/%3cen-us%3e/%5bpage%5d.htm?v={value1}#x=[amount]

alert('XSS Attack!');

alert(%27XSS%20Attack%21%27)%3b

<script>alert('XSS Attack!');</script>

%3cscript%3ealert(%27XSS%20Attack%21%27)%3b%3c/script%3e

alert('XSSあAttack!');

alert(%27XSS%e3%81%82Attack%21%27)%3b

user@contoso.com

user%40contoso.com

"Anti-Cross Site Scripting Namespace"

%22Anti-Cross%20Site%20Scripting%20Namespace%22

This method encodes only the path of a URL. This method will not encode the scheme (for example, http:, ftp:, or file:), the authority (for example, www.northwind.com or www.contoso.com:8080), or the query or fragment (for example, ?v=s978dfs9#x=103). If there is no scheme or authority in the string, the string is assumed to be a relative path, and the path is encoded. In the following URL, only the substring /en-us/default.htm is encoded:

http://www.contoso.com:8080/en-us/default.htm?v=s978dfs9#x=103

.NET Framework

Supported in: 4.6, 4.5
Show:
© 2015 Microsoft