AntiXss.UrlEncode encodes a complete url instead of just parameters


Doing this
string s = AntiXss.UrlEncode("http://antixss.codeplex.com/WorkItem/Create.aspx?ProjectName=AntiXSS");
Results to this:
which is unusable.
Only parameters should be encoded.
Closed Apr 14, 2010 at 6:19 PM by bdorrans
Behaviour as expected - will not fix.


syedab wrote Jul 7, 2009 at 12:34 PM

All the methods in the AntiXSS library encodes the given input. You should be using <a href=”http://search.msn.com/results.aspx?q=[Untrusted input]”>Click Here!</a>

bdorrans wrote Apr 14, 2010 at 6:19 PM

This is as expected - you should be encoding parameters to insert in a URI, not the entire URI

wrote Apr 14, 2010 at 6:19 PM

wrote Feb 22, 2013 at 12:07 AM

wrote May 16, 2013 at 11:29 AM