Rectangle 27 0

javascript How to encode value to put in iframe src attribute to prevent XSS in ASP.NET MVC?


public bool IsLocalUrl(string url) {
  return System.Web.WebPages.RequestExtensions.IsUrlLocalToHost(
    RequestContext.HttpContext.Request, url);
}
public static bool IsUrlLocalToHost(this HttpRequestBase request, string url)
{
  return !url.IsEmpty() &&
      ((url[0] == '/' && (url.Length == 1 ||
       (url[1] != '/' && url[1] != '\\'))) ||   // "/" or "/foo" but not "//" or "/\"
       (url.Length > 1 &&
        url[0] == '~' && url[1] == '/'));   // "~/" or "~/foo"
}

I'd recommend reading Preventing Open Redirection Attacks (C#) which talks about using the IsLocalUrl() method from the ASP.NET MVC 3 UrlHelper class:

IsUrlLocalToHost() method from the System.Web.WebPages RequestExtensions class:

Note