File: AntiXssEncoder.cs

package info (click to toggle)
mono 4.6.2.7%2Bdfsg-1
links: PTS, VCS
area: main
in suites: stretch
size: 778,148 kB
ctags: 914,052
sloc: cs: 5,779,509; xml: 2,773,713; ansic: 432,645; sh: 14,749; makefile: 12,361; perl: 2,488; python: 1,434; cpp: 849; asm: 531; sql: 95; sed: 16; php: 1
file content (144 lines) | stat: -rw-r--r-- 6,150 bytes
parent folder | download | duplicates (7)
//------------------------------------------------------------------------------
// <copyright file="AntiXssEncoder.cs" company="Microsoft">
//     Copyright (c) Microsoft Corporation.  All rights reserved.
// </copyright>
//------------------------------------------------------------------------------

namespace System.Web.Security.AntiXss {
    using System.Diagnostics.CodeAnalysis;
    using System.IO;
    using System.Text;
    using System.Web.Hosting;
    using System.Web.Util;

    public class AntiXssEncoder : HttpEncoder {

        #region HttpEncoder Methods

        // NOTE: No Anti-XSS equivalents for HtmlDecode and HeaderNameValueEncode

        protected internal override void HtmlAttributeEncode(string value, TextWriter output) {
            if (output == null) {
                throw new ArgumentNullException("output");
            }

            output.Write(UnicodeCharacterEncoder.HtmlAttributeEncode(value));
        }

        protected internal override void HtmlEncode(string value, TextWriter output) {
            if (output == null) {
                throw new ArgumentNullException("output");
            }

            output.Write(HtmlEncode(value, false));
        }

        protected internal override byte[] UrlEncode(byte[] bytes, int offset, int count) {
            if (!HttpEncoder.ValidateUrlEncodingParameters(bytes, offset, count)) {
                return null;
            }

            string utf8String = Encoding.UTF8.GetString(bytes, offset, count);
            string result = UrlEncode(utf8String, Encoding.UTF8);
            return Encoding.UTF8.GetBytes(result);
        }

        protected internal override string UrlPathEncode(string value) {
            if (String.IsNullOrEmpty(value)) {
                return value;
            }

            // DevDiv #211105: We should make the UrlPathEncode method encode only the path portion of URLs.

            string schemeAndAuthority;
            string path;
            string queryAndFragment;
            bool isValidUrl = UriUtil.TrySplitUriForPathEncode(value, out schemeAndAuthority, out path, out queryAndFragment, checkScheme: false);

            if (!isValidUrl) {
                // treat as a relative URL, so we might still need to chop off the query / fragment components
                schemeAndAuthority = null;
                UriUtil.ExtractQueryAndFragment(value, out path, out queryAndFragment);
            }

            return schemeAndAuthority + HtmlParameterEncoder.UrlPathEncode(path, Encoding.UTF8) + queryAndFragment;
        }

        #endregion

        public static void MarkAsSafe(LowerCodeCharts lowerCodeCharts, LowerMidCodeCharts lowerMidCodeCharts,
            MidCodeCharts midCodeCharts, UpperMidCodeCharts upperMidCodeCharts, UpperCodeCharts upperCodeCharts) {

            // should be callable from console apps
            if (HostingEnvironment.IsHosted) {
                HttpApplicationFactory.ThrowIfApplicationOnStartCalled();
            }

            UnicodeCharacterEncoder.MarkAsSafe(lowerCodeCharts, lowerMidCodeCharts, midCodeCharts, upperMidCodeCharts, upperCodeCharts);
        }

        public static string CssEncode(string input) {
            return CssEncoder.Encode(input);
        }

        public static string HtmlEncode(string input, bool useNamedEntities) {
            return UnicodeCharacterEncoder.HtmlEncode(input, useNamedEntities);
        }

        [SuppressMessage("Microsoft.Design", "CA1055:UriReturnValuesShouldNotBeStrings",
            Justification = "As this is meant as a replacement for HttpUility.Encode we must keep the same return type.")]
        public static string UrlEncode(string input) {
            return UrlEncode(input, Encoding.UTF8);
        }
        
        [SuppressMessage("Microsoft.Design", "CA1055:UriReturnValuesShouldNotBeStrings",
            Justification = "This does not return a URL so the return type can be a string.")]
        public static string HtmlFormUrlEncode(string input) {
            return HtmlFormUrlEncode(input, Encoding.UTF8);
        }

        [SuppressMessage("Microsoft.Design", "CA1055:UriReturnValuesShouldNotBeStrings",
            Justification = "This does not return a URL so the return type can be a string.")]
        public static string UrlEncode(string input, int codePage) {
            return UrlEncode(input, Encoding.GetEncoding(codePage));
        }

        [SuppressMessage("Microsoft.Design", "CA1055:UriReturnValuesShouldNotBeStrings",
            Justification = "This does not return a URL so the return type can be a string.")]
        public static string HtmlFormUrlEncode(string input, int codePage) {
            return HtmlFormUrlEncode(input, Encoding.GetEncoding(codePage));
        }

        [SuppressMessage("Microsoft.Design", "CA1055:UriReturnValuesShouldNotBeStrings",
            Justification = "This does not return a URL so the return type can be a string.")]
        public static string UrlEncode(string input, Encoding inputEncoding) {
            // Assuming the default to be UTF-8
            if (inputEncoding == null) {
                inputEncoding = Encoding.UTF8;
            }

            return HtmlParameterEncoder.QueryStringParameterEncode(input, inputEncoding);
        }

        [SuppressMessage("Microsoft.Design", "CA1055:UriReturnValuesShouldNotBeStrings",
            Justification = "This does not return a URL so the return type can be a string.")]
        public static string HtmlFormUrlEncode(string input, Encoding inputEncoding) {
            // Assuming the default to be UTF-8
            if (inputEncoding == null) {
                inputEncoding = Encoding.UTF8;
            }

            return HtmlParameterEncoder.FormStringParameterEncode(input, inputEncoding);
        }

        public static string XmlEncode(string input) {
            return UnicodeCharacterEncoder.XmlEncode(input);
        }

        public static string XmlAttributeEncode(string input) {
            // HtmlEncodeAttribute will handle input
            return UnicodeCharacterEncoder.XmlAttributeEncode(input);
        }

    }
}