What does Microsoft.Security.Application.Encoder.UrlPathEnco
本文关键字:Encoder UrlPathEnco Application Security does Microsoft What | 更新日期: 2023-09-27 18:28:01
我发现了一个使用HTMLAgilityPack的HTML清理程序的出色示例。在代码中,使用Microsoft.Security.Application.Encoder类:
// AntiXss
a.Value = Microsoft.Security.Application.Encoder.UrlPathEncode(a.Value);
我找不到包含此类的程序集,我希望在我的项目中没有另一个依赖项,并且消毒程序在没有此行的情况下可以工作。但是,删除此调用可能会在代码中留下安全漏洞。
为了决定是否使用此程序集,我想知道:此方法实际做什么
您可以查看源代码
来自方法的源代码
/// <summary>
/// URL-encodes the path section of a URL string and returns the encoded string.
/// </summary>
/// <param name="input">The text to URL path encode</param>
/// <returns>The URL path encoded text.</returns>
[System.Diagnostics.CodeAnalysis.SuppressMessage(
"Microsoft.Design",
"CA1055:UriReturnValuesShouldNotBeStrings",
Justification = "This does not return a full URL so the return type can be a string.")]
public static string UrlPathEncode(string input)
{
if (string.IsNullOrEmpty(input))
{
return input;
}
// DevDiv #211105: We should make the UrlPathEncode method encode only the path portion of URLs.
string schemeAndAuthority;
string path;
string queryAndFragment;
bool validUrl = UriUtil.TrySplitUriForPathEncode(input, out schemeAndAuthority, out path, out queryAndFragment);
if (!validUrl)
{
// treat as a relative URL, so we might still need to chop off the query / fragment components
schemeAndAuthority = null;
UriUtil.ExtractQueryAndFragment(input, out path, out queryAndFragment);
}
return schemeAndAuthority + HtmlParameterEncoder.UrlPathEncode(path, Encoding.UTF8) + queryAndFragment;
}
您必须更深入地了解编码uri的所有活动部分。通常,我建议查看单元测试,看看对组件的期望,但第一眼看不到对Encoder类的测试:(