/// <summary> /// Joins all parameters into a query string. /// </summary> /// <param name="parameters">The parameters.</param> /// <returns>A query string.</returns> public static string ToQueryString(this IDictionary <string, object> parameters) { if (parameters == null || !parameters.Any()) { return(string.Empty); } var encodedParameterParts = parameters.Select( p => $"{AntiXssEncoder.UrlEncode(p.Key)}={AntiXssEncoder.UrlEncode((p.Value ?? "").ToString())}"); return(string.Join("&", encodedParameterParts)); }
public static String AsCleanedLink(this Object source) { Boolean okForFurtherProcessing = ParseObject(source, out String cleaned); if (!okForFurtherProcessing) { return(cleaned); } Boolean localUrl = cleaned.IsLocalUrl(); if (localUrl) { return(cleaned); } var uriBuilder = new UriBuilder(cleaned); IList <String> cleanedSegments = new List <String>(); foreach (String segment in uriBuilder.Uri.Segments) { String cleanedSegment = segment.Replace("/", String.Empty); if (cleanedSegment == String.Empty) { continue; } cleanedSegments.Add(AntiXssEncoder.UrlEncode(HttpUtility.UrlDecode(cleanedSegment))); // NOTE: we're back and forth because we can't turn off the UriBuilder's default url encoder // and the UriBuilder's default url encoder did not escape singiequote and normal brackets } uriBuilder.Path = String.Join("/", cleanedSegments); NameValueCollection queryStrings = HttpUtility.ParseQueryString(uriBuilder.Query); NameValueCollection shadowQueryStrings = HttpUtility.ParseQueryString(uriBuilder.Query); foreach (String key in shadowQueryStrings) { queryStrings[key] = AntiXssEncoder.UrlEncode(HttpUtility.UrlDecode(shadowQueryStrings[key])); } uriBuilder.Query = HttpUtility.UrlDecode(queryStrings.ToString()); uriBuilder.Fragment = AntiXssEncoder.UrlEncode(HttpUtility.UrlDecode(uriBuilder.Fragment).Replace("#", String.Empty)); // NOTE: hack to remove port if (uriBuilder.Uri.IsDefaultPort) { uriBuilder.Port = -1; } return(uriBuilder.Uri.AbsoluteUri); }
public async Task <ActionResult> ConfirmEmailRequest() { if (!ViewBag.Settings.EmailConfirmationEnabled) { ADXTrace.Instance.TraceError(TraceCategory.Application, "ManageController.ConfirmEmailRequest: EmailConfirmationEnabled not enabled"); return(HttpNotFound()); } var user = await UserManager.FindByIdAsync(User.Identity.GetUserId()); if (user == null) { throw new ApplicationException("Account error."); } var code = await GetEmailConfirmationCode(user); var callbackUrl = Url.Action("ConfirmEmail", "Manage", new { userId = user.Id, code = code }, protocol: Request.Url.Scheme); var parameters = new Dictionary <string, object> { { "UserId", user.Id }, { "Code", code }, { "UrlCode", AntiXssEncoder.UrlEncode(code) }, { "CallbackUrl", callbackUrl } }; try { await OrganizationManager.InvokeProcessAsync("adx_SendEmailConfirmationToContact", user.ContactId, parameters); //await UserManager.SendEmailAsync(user.Id, "Confirm your account", "Please confirm your account by clicking this link: <a href=\"" + callbackUrl + "\">link</a>"); } catch (Exception e) { Adxstudio.Xrm.ADXTrace.Instance.TraceError(Adxstudio.Xrm.TraceCategory.Application, e.ToString()); } if (ViewBag.Settings.IsDemoMode) { ViewBag.DemoModeLink = callbackUrl; } return(View(new RegisterViewModel { Email = user.Email })); }
static String HandleUrlEncode(String value) => AntiXssEncoder.UrlEncode(value).Replace("+", "%20");
protected override ValidationResult IsValid(object value, ValidationContext validationContext) { var administrator = (Administrator)validationContext.ObjectInstance; if (string.IsNullOrEmpty(administrator.Username)) { administrator.Username = AntiXssEncoder.HtmlEncode(administrator.Username, false); } if (string.IsNullOrEmpty(administrator.Password)) { administrator.Password = AntiXssEncoder.HtmlEncode(administrator.Password, false); } if (string.IsNullOrEmpty(administrator.urlRedirection)) { administrator.urlRedirection = AntiXssEncoder.UrlEncode(administrator.urlRedirection); } if (string.IsNullOrEmpty(administrator.id_Admin)) { administrator.id_Admin = AntiXssEncoder.HtmlEncode(administrator.id_Admin, false); } if (string.IsNullOrEmpty(administrator.ad_typeID)) { administrator.ad_typeID = AntiXssEncoder.HtmlEncode(administrator.ad_typeID, false); } if (string.IsNullOrEmpty(administrator.ad_firstname)) { administrator.ad_firstname = AntiXssEncoder.HtmlEncode(administrator.ad_firstname, false); } if (string.IsNullOrEmpty(administrator.ad_lastname)) { administrator.ad_lastname = AntiXssEncoder.HtmlEncode(administrator.ad_lastname, false); } if (string.IsNullOrEmpty(administrator.ad_avatarprofile)) { administrator.ad_avatarprofile = AntiXssEncoder.UrlEncode(administrator.ad_avatarprofile); } if (string.IsNullOrEmpty(administrator.ad_email)) { administrator.ad_email = AntiXssEncoder.HtmlEncode(administrator.ad_email, false); } if (string.IsNullOrEmpty(administrator.ad_phone)) { administrator.ad_phone = AntiXssEncoder.HtmlEncode(administrator.ad_phone, false); } if (string.IsNullOrEmpty(administrator.ad_mobile)) { administrator.ad_mobile = AntiXssEncoder.HtmlEncode(administrator.ad_mobile, false); } if (string.IsNullOrEmpty(administrator.ad_has2stepSecurity)) { administrator.ad_has2stepSecurity = AntiXssEncoder.HtmlEncode(administrator.ad_has2stepSecurity, false); } if (string.IsNullOrEmpty(administrator.ad_isActive)) { administrator.ad_isActive = AntiXssEncoder.HtmlEncode(administrator.ad_isActive, false); } if (string.IsNullOrEmpty(administrator.ad_isDelete)) { administrator.ad_isDelete = AntiXssEncoder.HtmlEncode(administrator.ad_isDelete, false); } if (string.IsNullOrEmpty(administrator.ad_lastseen)) { administrator.ad_lastseen = AntiXssEncoder.HtmlEncode(administrator.ad_lastseen, false); } if (string.IsNullOrEmpty(administrator.ad_lastlogin)) { administrator.ad_lastlogin = AntiXssEncoder.HtmlEncode(administrator.ad_lastlogin, false); } if (string.IsNullOrEmpty(administrator.ad_loginIP)) { administrator.ad_loginIP = AntiXssEncoder.HtmlEncode(administrator.ad_loginIP, false); } if (string.IsNullOrEmpty(administrator.ad_regdate)) { administrator.ad_regdate = AntiXssEncoder.HtmlEncode(administrator.ad_regdate, false); } if (string.IsNullOrEmpty(administrator.ad_personalColorHexa)) { administrator.ad_personalColorHexa = AntiXssEncoder.HtmlEncode(administrator.ad_personalColorHexa, false); } if (string.IsNullOrEmpty(administrator.AdminModeID)) { administrator.AdminModeID = AntiXssEncoder.HtmlEncode(administrator.AdminModeID, false); } if (string.IsNullOrEmpty(administrator.ad_NickName)) { administrator.ad_NickName = AntiXssEncoder.HtmlEncode(administrator.ad_NickName, false); } return(ValidationResult.Success); }
public void Run() { Console.WriteLine("Start."); String[] urls = new[] { "", null, " ", "/", "/Home/Index", "/Dashboard", "/Non", "~", "~/", "~/Home/Index", "~/Dashboard", "~/Non", "/~/", "../", "../Home.aspx", "Home/Index.aspx", "http:web.development.net", "http:/web.development.net", "https:web.development.net", "https:/web.development.net", "http://web.development.net/Home/Index", "https://web.development.net/Home/Index", "https://google.com", "http://web.development.net/Home/Index?q=hello", "http://web.development.net/Home-Index", "http://web.development.net/Home/Index?q=<script>alert('yeehaw');</script>", "http://web.development.net/Home/Index<en-us>/[page].htm?v={value1}#x=[amount]", "http://web.development.net/Home/Index<en-us>/[page].htm?v={value1}#x=[amount]&q=<script>alert('yeehaw');</script>", // NOTE: fragment issue "http://web.development.net/Home/Index<en-us>/[page].htm?q=<script>alert('yeehaw');</script>&x=a+b&v={value1}#x=[amount]" }; Dbg("IsLocalUrl:", urls.Select(url => new { Url = url, Local = url.IsLocalUrl(new Uri("http://web.development.net")) }) ); Dbg("IsWellFormedUriString:", urls.Select(url => new { Url = url, Absolute = Uri.IsWellFormedUriString(url, UriKind.Absolute), Relative = Uri.IsWellFormedUriString(url, UriKind.Relative) }) ); Func <String, Boolean> isAbsolute = url => { try { new Uri(url); } catch (ArgumentNullException) { return(false); } catch (UriFormatException) { return(false); } return(true); }; Dbg("Not Absolute:", urls .Select(url => new { Url = url, Absolute = isAbsolute(url) }) ); Dbg("Host:", urls .Skip(urls.Length - 9) .Select(url => new { Url = url, new Uri(url).Host, new Uri(url).DnsSafeHost }) ); IEnumerable <String> toBeCleaneds = urls .Take(3) .Concat(urls .Skip(urls.Length - 9)); Dbg("CleanedLink:", toBeCleaneds .Select(url => new { UriBuilder = new UriBuilder(url), HtmlEnc = AntiXssEncoder.HtmlEncode(url, true), UrlEnc = AntiXssEncoder.UrlEncode(url), CustomEnc = url.AsCleanedLink() }) .Select(url => new { Uri = new { url.UriBuilder.Uri.Host, url.UriBuilder.Uri.AbsolutePath, url.UriBuilder.Uri.AbsoluteUri, url.UriBuilder.Uri.Authority, url.UriBuilder.Uri.DnsSafeHost, url.UriBuilder.Uri.Port, url.UriBuilder.Uri.Fragment, url.UriBuilder.Uri.HostNameType, url.UriBuilder.Uri.IdnHost, url.UriBuilder.Uri.IsAbsoluteUri, url.UriBuilder.Uri.IsDefaultPort, url.UriBuilder.Uri.IsFile, url.UriBuilder.Uri.IsLoopback, url.UriBuilder.Uri.IsUnc, url.UriBuilder.Uri.LocalPath, url.UriBuilder.Uri.OriginalString, url.UriBuilder.Uri.PathAndQuery, url.UriBuilder.Uri.Query, QueryStrings = HttpUtility.ParseQueryString(url.UriBuilder.Uri.Query), url.UriBuilder.Uri.Scheme, url.UriBuilder.Uri.Segments, url.UriBuilder.Uri.UserEscaped, url.UriBuilder.Uri.UserInfo }, url.UriBuilder, url.HtmlEnc, url.UrlEnc, url.CustomEnc }) ); Dbg("CleanedLink:", toBeCleaneds .Select(url => url.AsCleanedLink()) ); Console.WriteLine("Done."); }
public void Run() { String address = "http://localhost:8090/Services/Employee?dtFromString=20170801&dtToString=20170830&name=john hashkell&jobs=towns+mayor"; var uri = new Uri(address); Dbg(new { AllUriProps = uri, PartialAuthority = uri.GetLeftPart(UriPartial.Authority), PartialPath = uri.GetLeftPart(UriPartial.Path), PartialQuery = uri.GetLeftPart(UriPartial.Query), PartialScheme = uri.GetLeftPart(UriPartial.Scheme), ForHttpClient = uri.GetLeftPart(UriPartial.Authority), ForGetAsync = uri.AbsolutePath, NotAllUriProps = new { uri.Host, uri.AbsolutePath, uri.AbsoluteUri, uri.Authority, uri.DnsSafeHost, uri.Port, uri.Fragment, uri.HostNameType, uri.IdnHost, uri.IsAbsoluteUri, uri.IsDefaultPort, uri.IsFile, uri.IsLoopback, uri.IsUnc, uri.LocalPath, uri.OriginalString, uri.PathAndQuery, uri.Query, uri.Scheme, uri.Segments, uri.UserEscaped, uri.UserInfo } }); var uriB = new UriBuilder(address); NameValueCollection query = HttpUtility.ParseQueryString(uriB.Query); query["dtFromString"] = HttpUtility.UrlEncode(query["dtFromString"]); query["dtToString"] = HttpUtility.UrlEncode(query["dtToString"]); query["name"] = HttpUtility.UrlEncode(query["name"]); query["jobs"] = HttpUtility.UrlEncode(query["jobs"]); uriB.Query = query.ToString(); var uriC = new UriBuilder(address); NameValueCollection query2 = HttpUtility.ParseQueryString(uriC.Query); query2["dtFromString"] = HttpUtility.UrlPathEncode(query2["dtFromString"]); query2["dtToString"] = HttpUtility.UrlPathEncode(query2["dtToString"]); query2["name"] = HttpUtility.UrlPathEncode(query2["name"]); query2["jobs"] = HttpUtility.UrlPathEncode(query2["jobs"]); uriC.Query = query2.ToString(); var uriD = new UriBuilder(address); NameValueCollection query3 = HttpUtility.ParseQueryString(uriD.Query); query3["dtFromString"] = HttpUtility.UrlEncode(query3["dtFromString"]).Replace("+", "%20"); query3["dtToString"] = HttpUtility.UrlEncode(query3["dtToString"]).Replace("+", "%20"); query3["name"] = HttpUtility.UrlEncode(query3["name"]).Replace("+", "%20"); query3["jobs"] = HttpUtility.UrlEncode(query3["jobs"]).Replace("+", "%20"); uriD.Query = query3.ToString(); var uriE = new UriBuilder(address); NameValueCollection query4 = HttpUtility.ParseQueryString(uriE.Query); query4["dtFromString"] = AntiXssEncoder.UrlEncode(HttpUtility.UrlDecode(query4["dtFromString"])); query4["dtToString"] = AntiXssEncoder.UrlEncode(HttpUtility.UrlDecode(query4["dtToString"])); query4["name"] = AntiXssEncoder.UrlEncode(HttpUtility.UrlDecode(query4["name"])); query4["jobs"] = AntiXssEncoder.UrlEncode(HttpUtility.UrlDecode(query4["jobs"])); uriE.Query = HttpUtility.UrlDecode(query4.ToString()); Dbg(new { Original = address, Modified = uriB.ToString(), Modified2 = uriC.ToString(), Modified3 = uriD.ToString(), Modified4 = uriE.ToString() }); }
public static string UrlEncode(this string input) { return(AntiXssEncoder.UrlEncode(input).Replace("%20", "+")); }