我發現使用HTMLAgilityPack的HTML清理器的a brilliant example。在代碼中,Microsoft.Security.Application.Encoder類用於:Microsoft.Security.Application.Encoder.UrlPathEncode是做什麼的?
// AntiXss
a.Value = Microsoft.Security.Application.Encoder.UrlPathEncode(a.Value);
我找不到含有此類大會,我寧願沒有在我的項目另一依賴,以及消毒工作沒有這條線。但是,刪除此調用可能會在代碼中造成安全漏洞。
爲了決定還是反對使用這個程序集,我想知道:這個方法實際上做了什麼?
你可以看看source code
從源代碼的方法
/// <summary>
/// URL-encodes the path section of a URL string and returns the encoded string.
/// </summary>
/// <param name="input">The text to URL path encode</param>
/// <returns>The URL path encoded text.</returns>
[System.Diagnostics.CodeAnalysis.SuppressMessage(
"Microsoft.Design",
"CA1055:UriReturnValuesShouldNotBeStrings",
Justification = "This does not return a full URL so the return type can be a string.")]
public static string UrlPathEncode(string input)
{
if (string.IsNullOrEmpty(input))
{
return input;
}
// DevDiv #211105: We should make the UrlPathEncode method encode only the path portion of URLs.
string schemeAndAuthority;
string path;
string queryAndFragment;
bool validUrl = UriUtil.TrySplitUriForPathEncode(input, out schemeAndAuthority, out path, out queryAndFragment);
if (!validUrl)
{
// treat as a relative URL, so we might still need to chop off the query/fragment components
schemeAndAuthority = null;
UriUtil.ExtractQueryAndFragment(input, out path, out queryAndFragment);
}
return schemeAndAuthority + HtmlParameterEncoder.UrlPathEncode(path, Encoding.UTF8) + queryAndFragment;
}
你將有更深入去所有的運動部件編碼的URI。通常我會建議查看單元測試,以瞭解組件的預期情況,但乍一看Encoder類沒有測試:(
與[this](http://msdn.microsoft.com/ en-us/library/system.web.security.antixss.antixssencoder.urlpathencode%28v = vs.110%29.aspx)也許(請參閱文章末尾的示例) – dewaffled 2014-10-28 12:44:50
我認爲這用於消毒任何src/href類型的屬性,其中包含一個url(例如,這可以通過'href ='javascript:badthings()'獲得xss劫持) – 2015-03-20 01:42:52