1

Closed

AntiXss.UrlEncode encodes a complete url instead of just parameters

description

Doing this
string s = AntiXss.UrlEncode("http://antixss.codeplex.com/WorkItem/Create.aspx?ProjectName=AntiXSS");
 
Results to this:
http%3a%2f%2fantixss.codeplex.com%2fWorkItem%2fCreate.aspx%3fProjectName%3dAntiXSS
 
which is unusable.
 
Only parameters should be encoded.
Closed Apr 14, 2010 at 7:19 PM by bdorrans
Behaviour as expected - will not fix.

comments

syedab wrote Jul 7, 2009 at 1:34 PM

All the methods in the AntiXSS library encodes the given input. You should be using <a href=”http://search.msn.com/results.aspx?q=[Untrusted input]”>Click Here!</a>

bdorrans wrote Apr 14, 2010 at 7:19 PM

This is as expected - you should be encoding parameters to insert in a URI, not the entire URI