开发者

AntiXss.UrlEncode vs. AntiXss.HtmlAttributeEncode usage in link (a href)

开发者 https://www.devze.com 2023-01-12 23:16 出处:网络
According to old AntiXss article on MSDN AntiXss.UrlEncode is used to encode link href (Untrusted-input in the following example):

According to old AntiXss article on MSDN AntiXss.UrlEncode is used to encode link href (Untrusted-input in the following example):

<a href="http://search.msn.com/results.aspx?q=[Untrusted-input]">Click Here!</a>

My understanding was, that UrlEncode should be used only when setting something to URL, like when setting document.location with JS. So why don't I use HtmlAttributeEncode in the previous example to encode [Untrusted-input]? On the other hand is there a security flaw if I use UrlEncode to enc开发者_如何学Goode HTML attributes like in the above sample?


Url Encode encodes URL parameters for use in anchor tags.

Html Attribute encode encodes things for use in general HTML attributes.

Both encoding types vary - unsafe characters in HTML attribute encoding will be turned into a &xxx; form, in URL encoding they'll turn into %xxx. Whilst it's probably unlikely getting it wrong would cause a security problem your data wouldn't be properly rendered in the browser, or understood in a request.

(Indeed Url encoding is probably going to change because of an incompatibility with older browsers, and HTML Encoding will change in the next CTP drop to allow for safe listing of particular Unicode ranges).

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号