/// <summary>
/// Joins all parameters into a query string.
/// </summary>
/// <param name="parameters">The parameters.</param>
/// <returns>A query string.</returns>
public static string ToQueryString(this IDictionary <string, object> parameters)
{
if (parameters == null || !parameters.Any())
{
return(string.Empty);
}
var encodedParameterParts = parameters.Select(
p => $"{AntiXssEncoder.UrlEncode(p.Key)}={AntiXssEncoder.UrlEncode((p.Value ?? "").ToString())}");
return(string.Join("&", encodedParameterParts));
}
public static String AsCleanedLink(this Object source)
{
Boolean okForFurtherProcessing = ParseObject(source, out String cleaned);
if (!okForFurtherProcessing)
{
return(cleaned);
}
Boolean localUrl = cleaned.IsLocalUrl();
if (localUrl)
{
return(cleaned);
}
var uriBuilder = new UriBuilder(cleaned);
IList <String> cleanedSegments = new List <String>();
foreach (String segment in uriBuilder.Uri.Segments)
{
String cleanedSegment = segment.Replace("/", String.Empty);
if (cleanedSegment == String.Empty)
{
continue;
}
cleanedSegments.Add(AntiXssEncoder.UrlEncode(HttpUtility.UrlDecode(cleanedSegment)));
// NOTE: we're back and forth because we can't turn off the UriBuilder's default url encoder
// and the UriBuilder's default url encoder did not escape singiequote and normal brackets
}
uriBuilder.Path = String.Join("/", cleanedSegments);
NameValueCollection queryStrings = HttpUtility.ParseQueryString(uriBuilder.Query);
NameValueCollection shadowQueryStrings = HttpUtility.ParseQueryString(uriBuilder.Query);
foreach (String key in shadowQueryStrings)
{
queryStrings[key] = AntiXssEncoder.UrlEncode(HttpUtility.UrlDecode(shadowQueryStrings[key]));
}
uriBuilder.Query = HttpUtility.UrlDecode(queryStrings.ToString());
uriBuilder.Fragment = AntiXssEncoder.UrlEncode(HttpUtility.UrlDecode(uriBuilder.Fragment).Replace("#", String.Empty));
// NOTE: hack to remove port
if (uriBuilder.Uri.IsDefaultPort)
{
uriBuilder.Port = -1;
}
return(uriBuilder.Uri.AbsoluteUri);
}
public async Task <ActionResult> ConfirmEmailRequest()
{
if (!ViewBag.Settings.EmailConfirmationEnabled)
{
ADXTrace.Instance.TraceError(TraceCategory.Application,
"ManageController.ConfirmEmailRequest: EmailConfirmationEnabled not enabled");
return(HttpNotFound());
}
var user = await UserManager.FindByIdAsync(User.Identity.GetUserId());
if (user == null)
{
throw new ApplicationException("Account error.");
}
var code = await GetEmailConfirmationCode(user);
var callbackUrl = Url.Action("ConfirmEmail", "Manage", new { userId = user.Id, code = code }, protocol: Request.Url.Scheme);
var parameters = new Dictionary <string, object> {
{ "UserId", user.Id }, { "Code", code }, { "UrlCode", AntiXssEncoder.UrlEncode(code) }, { "CallbackUrl", callbackUrl }
};
try
{
await OrganizationManager.InvokeProcessAsync("adx_SendEmailConfirmationToContact", user.ContactId, parameters);
//await UserManager.SendEmailAsync(user.Id, "Confirm your account", "Please confirm your account by clicking this link: <a href=\"" + callbackUrl + "\">link</a>");
}
catch (Exception e)
{
Adxstudio.Xrm.ADXTrace.Instance.TraceError(Adxstudio.Xrm.TraceCategory.Application, e.ToString());
}
if (ViewBag.Settings.IsDemoMode)
{
ViewBag.DemoModeLink = callbackUrl;
}
return(View(new RegisterViewModel {
Email = user.Email
}));
}
static String HandleUrlEncode(String value) => AntiXssEncoder.UrlEncode(value).Replace("+", "%20");
protected override ValidationResult IsValid(object value, ValidationContext validationContext)
{
var administrator = (Administrator)validationContext.ObjectInstance;
if (string.IsNullOrEmpty(administrator.Username))
{
administrator.Username = AntiXssEncoder.HtmlEncode(administrator.Username, false);
}
if (string.IsNullOrEmpty(administrator.Password))
{
administrator.Password = AntiXssEncoder.HtmlEncode(administrator.Password, false);
}
if (string.IsNullOrEmpty(administrator.urlRedirection))
{
administrator.urlRedirection = AntiXssEncoder.UrlEncode(administrator.urlRedirection);
}
if (string.IsNullOrEmpty(administrator.id_Admin))
{
administrator.id_Admin = AntiXssEncoder.HtmlEncode(administrator.id_Admin, false);
}
if (string.IsNullOrEmpty(administrator.ad_typeID))
{
administrator.ad_typeID = AntiXssEncoder.HtmlEncode(administrator.ad_typeID, false);
}
if (string.IsNullOrEmpty(administrator.ad_firstname))
{
administrator.ad_firstname = AntiXssEncoder.HtmlEncode(administrator.ad_firstname, false);
}
if (string.IsNullOrEmpty(administrator.ad_lastname))
{
administrator.ad_lastname = AntiXssEncoder.HtmlEncode(administrator.ad_lastname, false);
}
if (string.IsNullOrEmpty(administrator.ad_avatarprofile))
{
administrator.ad_avatarprofile = AntiXssEncoder.UrlEncode(administrator.ad_avatarprofile);
}
if (string.IsNullOrEmpty(administrator.ad_email))
{
administrator.ad_email = AntiXssEncoder.HtmlEncode(administrator.ad_email, false);
}
if (string.IsNullOrEmpty(administrator.ad_phone))
{
administrator.ad_phone = AntiXssEncoder.HtmlEncode(administrator.ad_phone, false);
}
if (string.IsNullOrEmpty(administrator.ad_mobile))
{
administrator.ad_mobile = AntiXssEncoder.HtmlEncode(administrator.ad_mobile, false);
}
if (string.IsNullOrEmpty(administrator.ad_has2stepSecurity))
{
administrator.ad_has2stepSecurity = AntiXssEncoder.HtmlEncode(administrator.ad_has2stepSecurity, false);
}
if (string.IsNullOrEmpty(administrator.ad_isActive))
{
administrator.ad_isActive = AntiXssEncoder.HtmlEncode(administrator.ad_isActive, false);
}
if (string.IsNullOrEmpty(administrator.ad_isDelete))
{
administrator.ad_isDelete = AntiXssEncoder.HtmlEncode(administrator.ad_isDelete, false);
}
if (string.IsNullOrEmpty(administrator.ad_lastseen))
{
administrator.ad_lastseen = AntiXssEncoder.HtmlEncode(administrator.ad_lastseen, false);
}
if (string.IsNullOrEmpty(administrator.ad_lastlogin))
{
administrator.ad_lastlogin = AntiXssEncoder.HtmlEncode(administrator.ad_lastlogin, false);
}
if (string.IsNullOrEmpty(administrator.ad_loginIP))
{
administrator.ad_loginIP = AntiXssEncoder.HtmlEncode(administrator.ad_loginIP, false);
}
if (string.IsNullOrEmpty(administrator.ad_regdate))
{
administrator.ad_regdate = AntiXssEncoder.HtmlEncode(administrator.ad_regdate, false);
}
if (string.IsNullOrEmpty(administrator.ad_personalColorHexa))
{
administrator.ad_personalColorHexa = AntiXssEncoder.HtmlEncode(administrator.ad_personalColorHexa, false);
}
if (string.IsNullOrEmpty(administrator.AdminModeID))
{
administrator.AdminModeID = AntiXssEncoder.HtmlEncode(administrator.AdminModeID, false);
}
if (string.IsNullOrEmpty(administrator.ad_NickName))
{
administrator.ad_NickName = AntiXssEncoder.HtmlEncode(administrator.ad_NickName, false);
}
return(ValidationResult.Success);
}
public void Run()
{
Console.WriteLine("Start.");
String[] urls = new[] {
"",
null,
" ",
"/",
"/Home/Index",
"/Dashboard",
"/Non",
"~",
"~/",
"~/Home/Index",
"~/Dashboard",
"~/Non",
"/~/",
"../",
"../Home.aspx",
"Home/Index.aspx",
"http:web.development.net",
"http:/web.development.net",
"https:web.development.net",
"https:/web.development.net",
"http://web.development.net/Home/Index",
"https://web.development.net/Home/Index",
"https://google.com",
"http://web.development.net/Home/Index?q=hello",
"http://web.development.net/Home-Index",
"http://web.development.net/Home/Index?q=<script>alert('yeehaw');</script>",
"http://web.development.net/Home/Index<en-us>/[page].htm?v={value1}#x=[amount]",
"http://web.development.net/Home/Index<en-us>/[page].htm?v={value1}#x=[amount]&q=<script>alert('yeehaw');</script>", // NOTE: fragment issue
"http://web.development.net/Home/Index<en-us>/[page].htm?q=<script>alert('yeehaw');</script>&x=a+b&v={value1}#x=[amount]"
};
Dbg("IsLocalUrl:",
urls.Select(url => new {
Url = url,
Local = url.IsLocalUrl(new Uri("http://web.development.net"))
})
);
Dbg("IsWellFormedUriString:",
urls.Select(url => new {
Url = url,
Absolute = Uri.IsWellFormedUriString(url, UriKind.Absolute),
Relative = Uri.IsWellFormedUriString(url, UriKind.Relative)
})
);
Func <String, Boolean> isAbsolute = url => {
try {
new Uri(url);
}
catch (ArgumentNullException) {
return(false);
}
catch (UriFormatException) {
return(false);
}
return(true);
};
Dbg("Not Absolute:",
urls
.Select(url => new {
Url = url,
Absolute = isAbsolute(url)
})
);
Dbg("Host:",
urls
.Skip(urls.Length - 9)
.Select(url => new {
Url = url,
new Uri(url).Host,
new Uri(url).DnsSafeHost
})
);
IEnumerable <String> toBeCleaneds = urls
.Take(3)
.Concat(urls
.Skip(urls.Length - 9));
Dbg("CleanedLink:",
toBeCleaneds
.Select(url => new {
UriBuilder = new UriBuilder(url),
HtmlEnc = AntiXssEncoder.HtmlEncode(url, true),
UrlEnc = AntiXssEncoder.UrlEncode(url),
CustomEnc = url.AsCleanedLink()
})
.Select(url => new {
Uri = new {
url.UriBuilder.Uri.Host,
url.UriBuilder.Uri.AbsolutePath,
url.UriBuilder.Uri.AbsoluteUri,
url.UriBuilder.Uri.Authority,
url.UriBuilder.Uri.DnsSafeHost,
url.UriBuilder.Uri.Port,
url.UriBuilder.Uri.Fragment,
url.UriBuilder.Uri.HostNameType,
url.UriBuilder.Uri.IdnHost,
url.UriBuilder.Uri.IsAbsoluteUri,
url.UriBuilder.Uri.IsDefaultPort,
url.UriBuilder.Uri.IsFile,
url.UriBuilder.Uri.IsLoopback,
url.UriBuilder.Uri.IsUnc,
url.UriBuilder.Uri.LocalPath,
url.UriBuilder.Uri.OriginalString,
url.UriBuilder.Uri.PathAndQuery,
url.UriBuilder.Uri.Query,
QueryStrings = HttpUtility.ParseQueryString(url.UriBuilder.Uri.Query),
url.UriBuilder.Uri.Scheme,
url.UriBuilder.Uri.Segments,
url.UriBuilder.Uri.UserEscaped,
url.UriBuilder.Uri.UserInfo
},
url.UriBuilder,
url.HtmlEnc,
url.UrlEnc,
url.CustomEnc
})
);
Dbg("CleanedLink:",
toBeCleaneds
.Select(url => url.AsCleanedLink())
);
Console.WriteLine("Done.");
}
public void Run()
{
String address = "http://localhost:8090/Services/Employee?dtFromString=20170801&dtToString=20170830&name=john hashkell&jobs=towns+mayor";
var uri = new Uri(address);
Dbg(new {
AllUriProps = uri,
PartialAuthority = uri.GetLeftPart(UriPartial.Authority),
PartialPath = uri.GetLeftPart(UriPartial.Path),
PartialQuery = uri.GetLeftPart(UriPartial.Query),
PartialScheme = uri.GetLeftPart(UriPartial.Scheme),
ForHttpClient = uri.GetLeftPart(UriPartial.Authority),
ForGetAsync = uri.AbsolutePath,
NotAllUriProps = new {
uri.Host,
uri.AbsolutePath,
uri.AbsoluteUri,
uri.Authority,
uri.DnsSafeHost,
uri.Port,
uri.Fragment,
uri.HostNameType,
uri.IdnHost,
uri.IsAbsoluteUri,
uri.IsDefaultPort,
uri.IsFile,
uri.IsLoopback,
uri.IsUnc,
uri.LocalPath,
uri.OriginalString,
uri.PathAndQuery,
uri.Query,
uri.Scheme,
uri.Segments,
uri.UserEscaped,
uri.UserInfo
}
});
var uriB = new UriBuilder(address);
NameValueCollection query = HttpUtility.ParseQueryString(uriB.Query);
query["dtFromString"] = HttpUtility.UrlEncode(query["dtFromString"]);
query["dtToString"] = HttpUtility.UrlEncode(query["dtToString"]);
query["name"] = HttpUtility.UrlEncode(query["name"]);
query["jobs"] = HttpUtility.UrlEncode(query["jobs"]);
uriB.Query = query.ToString();
var uriC = new UriBuilder(address);
NameValueCollection query2 = HttpUtility.ParseQueryString(uriC.Query);
query2["dtFromString"] = HttpUtility.UrlPathEncode(query2["dtFromString"]);
query2["dtToString"] = HttpUtility.UrlPathEncode(query2["dtToString"]);
query2["name"] = HttpUtility.UrlPathEncode(query2["name"]);
query2["jobs"] = HttpUtility.UrlPathEncode(query2["jobs"]);
uriC.Query = query2.ToString();
var uriD = new UriBuilder(address);
NameValueCollection query3 = HttpUtility.ParseQueryString(uriD.Query);
query3["dtFromString"] = HttpUtility.UrlEncode(query3["dtFromString"]).Replace("+", "%20");
query3["dtToString"] = HttpUtility.UrlEncode(query3["dtToString"]).Replace("+", "%20");
query3["name"] = HttpUtility.UrlEncode(query3["name"]).Replace("+", "%20");
query3["jobs"] = HttpUtility.UrlEncode(query3["jobs"]).Replace("+", "%20");
uriD.Query = query3.ToString();
var uriE = new UriBuilder(address);
NameValueCollection query4 = HttpUtility.ParseQueryString(uriE.Query);
query4["dtFromString"] = AntiXssEncoder.UrlEncode(HttpUtility.UrlDecode(query4["dtFromString"]));
query4["dtToString"] = AntiXssEncoder.UrlEncode(HttpUtility.UrlDecode(query4["dtToString"]));
query4["name"] = AntiXssEncoder.UrlEncode(HttpUtility.UrlDecode(query4["name"]));
query4["jobs"] = AntiXssEncoder.UrlEncode(HttpUtility.UrlDecode(query4["jobs"]));
uriE.Query = HttpUtility.UrlDecode(query4.ToString());
Dbg(new {
Original = address,
Modified = uriB.ToString(),
Modified2 = uriC.ToString(),
Modified3 = uriD.ToString(),
Modified4 = uriE.ToString()
});
}
public static string UrlEncode(this string input)
{
return(AntiXssEncoder.UrlEncode(input).Replace("%20", "+"));
}
