UrlPathEncode Encodes Scheme

Feb 8, 2012 at 7:42 PM

Given a fully qualified url starting with "http://" I'm finding that the UrlPathEncode methods encodes the url scheme to "http3a//". This causes issues when AntiXss is set to the default encoder for a web application and Image controls are used on a page. When the Image control is rendered, the ImageUrl property is encoded to an unresolvable url. Below are tests that demonstrate the difference in the default encoder and the AntiXss encoder.

Is this a known issue and is there a resolution coming soon?

Thanks

[TestMethod]
public void AntiXssEncoderTest()
{
   var url = "http://foo.bar.org/image.png";
   var encoded = Microsoft.Security.Application.Encoder.UrlPathEncode(url);
   Assert.AreEqual(url, encoded);  // Fails
}

[TestMethod]
public void DefaultEncoderTest()
{
   var url = "http://foo.bar.org/image.png";
   var encoded = HttpUtility.UrlPathEncode(url);
   Assert.AreEqual(url, encoded);  // Succeeds
}

Coordinator
Feb 8, 2012 at 8:17 PM

Yes, the way the framework did it changed, and I didn't keep up. Strictly speaking I'm right, it's just you're not passing in a path, you're passing in a full URL. Unfortunately some of the web forms controls are making assumptions about what UrlEncoding does (it's badly named, I realise). I have a fix for this and I'll be merged into the next version.

As ever we don't comment on time scales.

Jul 25, 2013 at 4:00 PM
It seems that the incorrect behaviour is still there in version 4.2.1. Any hope this will be fixed soon?