AntiXssEncoder.UrlPathEncode(String) AntiXssEncoder.UrlPathEncode(String) AntiXssEncoder.UrlPathEncode(String) AntiXssEncoder.UrlPathEncode(String) Method


Encodes path strings for use in a URL.

protected public:
 override System::String ^ UrlPathEncode(System::String ^ value);
protected internal override string UrlPathEncode (string value);
override this.UrlPathEncode : string -> string
Protected Friend Overrides Function UrlPathEncode (value As String) As String


String String String String

The string to encode.


The URL that contains the encoded path.


This method encodes all characters except those that are in the safe list. Characters are encoded by using %SINGLE_BYTE_HEX notation.

The following table lists the default safe characters. All characters are from the Unicode C0 Controls and Basic Latin character range.

Character(s) Description
A-Z Uppercase alphabetic characters
a-z Lowercase alphabetic characters
0-9 Numbers
# Number sign, hash
% Percent sign
( ) Parentheses
- Hyphen, minus
. Period, dot, full stop
/ Slash
\ Backslash
_ Underscore
{ } Braces, curly brackets
| Vertical line
~ Tilde

The following table lists examples of inputs and the corresponding encoded outputs.<en-us>/[page].htm?v={value1}#x=[amount]{value1}#x=[amount]
alert('XSS Attack!'); alert(%27XSS%20Attack%21%27)%3b
<script>alert('XSS Attack!');</script> %3cscript%3ealert(%27XSS%20Attack%21%27)%3b%3c/script%3e
alert('XSSあAttack!'); alert(%27XSS%e3%81%82Attack%21%27)%3b
"Anti-Cross Site Scripting Namespace" %22Anti-Cross%20Site%20Scripting%20Namespace%22

This method encodes only the path of a URL. This method will not encode the scheme (for example, http:, ftp:, or file:), the authority (for example, or, or the query or fragment (for example, ?v=s978dfs9#x=103). If there is no scheme or authority in the string, the string is assumed to be a relative path, and the path is encoded. In the following URL, only the substring /default.htm is encoded:

Applies to