AntiXssEncoder.UrlPathEncode(String) Method
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Encodes path strings for use in a URL.
protected public:
override System::String ^ UrlPathEncode(System::String ^ value);
protected internal override string UrlPathEncode (string value);
override this.UrlPathEncode : string -> string
Protected Friend Overrides Function UrlPathEncode (value As String) As String
Parameters
- value
- String
The string to encode.
Returns
The URL that contains the encoded path.
Remarks
This method encodes all characters except those that are in the safe list. Characters are encoded by using %SINGLE_BYTE_HEX
notation.
The following table lists the default safe characters. All characters are from the Unicode C0 Controls and Basic Latin character range.
Character(s) | Description |
---|---|
A-Z | Uppercase alphabetic characters |
a-z | Lowercase alphabetic characters |
0-9 | Numbers |
# | Number sign, hash |
% | Percent sign |
( ) | Parentheses |
- | Hyphen, minus |
. | Period, dot, full stop |
/ | Slash |
\ | Backslash |
_ | Underscore |
{ } | Braces, curly brackets |
| | Vertical line |
~ | Tilde |
The following table lists examples of inputs and the corresponding encoded outputs.
Input | Output |
---|---|
http://www.contoso.com:8080/<en-us>/[page].htm?v={value1}#x=[amount] |
http://www.contoso.com:8080/%3cen-us%3e/%5bpage%5d.htm?v={value1}#x=[amount] |
alert('XSS Attack!'); |
alert(%27XSS%20Attack%21%27)%3b |
<script>alert('XSS Attack!');</script> |
%3cscript%3ealert(%27XSS%20Attack%21%27)%3b%3c/script%3e |
alert('XSSあAttack!'); |
alert(%27XSS%e3%81%82Attack%21%27)%3b |
user@contoso.com |
user%40contoso.com |
"Anti-Cross Site Scripting Namespace" |
%22Anti-Cross%20Site%20Scripting%20Namespace%22 |
This method encodes only the path of a URL. This method will not encode the scheme (for example, http:
, ftp:
, or file:
), the authority (for example, www.northwind.com
or www.contoso.com:8080
), or the query or fragment (for example, ?v=s978dfs9#x=103
). If there is no scheme or authority in the string, the string is assumed to be a relative path, and the path is encoded. In the following URL, only the substring /default.htm
is encoded:
http://www.contoso.com:8080/default.htm?v=s978dfs9#x=103