# Encoding unsafe URLs

 - preserving and encoding any reserved or unsafe characters (such as ‘&’ or ‘%’ ) in the IRI or URI path
 

#### Uri Escape

If I have a string `Paris & Orléans` that I want to pass it as a part of an URL path to the backend. I need to encode it so that I can preserve the "unsafe" or "reserved characters" to safe travel to the backend server.

The standard way to do that is to escape it with URL % encoding.

In [1]:
Uri.EscapeUriString("Paris & Orléans") // 'Paris%20%26%20Orl%C3%A9ans'

Paris%20&%20Orl%C3%A9ans

#### Uri Escape will not touch string that had already been `URI escaped`

For example, if I tried to URI escape `/favorites/François/Paris%20&%20Orl%C3%A9ans` since the end of this string `Paris%20&%20Orl%C3%A9ans` had already in the escaped format, it will not be further modified.

In [2]:
var param = Uri.EscapeUriString("Paris & Orléans"); // 'Paris%20%26%20Orl%C3%A9ans'
var url = $"/favorites/François/{param}";
url

/favorites/François/Paris%20&%20Orl%C3%A9ans

In [3]:
Uri.EscapeUriString(url)

/favorites/Fran%C3%A7ois/Paris%2520&%2520Orl%25C3%25A9ans

### Uri Parsing

If we have a raw URL path that had not been escaped: 
    `https://user:password@www.contoso.com:80/François/Paris & Orléans`

vs a raw URL that had been escaped: 
    `https://user:password@www.contoso.com:80/Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans`

Parsing both will yield the same results.

In [4]:
var url = "https://user:password@www.contoso.com:80/François/Paris & Orléans";
Uri uri = new Uri(url);
Console.WriteLine($"AbsolutePath: {uri.AbsolutePath}");
Console.WriteLine($"AbsoluteUri: {uri.AbsoluteUri}");
Console.WriteLine($"DnsSafeHost: {uri.DnsSafeHost}");
Console.WriteLine($"Fragment: {uri.Fragment}");
Console.WriteLine($"Host: {uri.Host}");
Console.WriteLine($"HostNameType: {uri.HostNameType}");
Console.WriteLine($"IdnHost: {uri.IdnHost}");
Console.WriteLine($"IsAbsoluteUri: {uri.IsAbsoluteUri}");
Console.WriteLine($"IsDefaultPort: {uri.IsDefaultPort}");
Console.WriteLine($"IsFile: {uri.IsFile}");
Console.WriteLine($"IsLoopback: {uri.IsLoopback}");
Console.WriteLine($"IsUnc: {uri.IsUnc}");
Console.WriteLine($"LocalPath: {uri.LocalPath}");
Console.WriteLine($"OriginalString: {uri.OriginalString}");
Console.WriteLine($"PathAndQuery: {uri.PathAndQuery}");
Console.WriteLine($"Port: {uri.Port}");
Console.WriteLine($"Query: {uri.Query}");
Console.WriteLine($"Scheme: {uri.Scheme}");
Console.WriteLine($"Segments: {string.Join(", ", uri.Segments)}");
Console.WriteLine($"UserEscaped: {uri.UserEscaped}");
Console.WriteLine($"UserInfo: {uri.UserInfo}");

AbsolutePath: /Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans
AbsoluteUri: https://user:password@www.contoso.com:80/Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans
DnsSafeHost: www.contoso.com
Fragment: 
Host: www.contoso.com
HostNameType: Dns
IdnHost: www.contoso.com
IsAbsoluteUri: True
IsDefaultPort: False
IsFile: False
IsLoopback: False
IsUnc: False
LocalPath: /François/Paris & Orléans
OriginalString: https://user:password@www.contoso.com:80/François/Paris & Orléans
PathAndQuery: /Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans
Port: 80
Query: 
Scheme: https
Segments: /, Fran%C3%A7ois/, Paris%20&%20Orl%C3%A9ans
UserEscaped: False
UserInfo: user:password


In [5]:
var url = "https://user:password@www.contoso.com:80/Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans";
Uri uri = new Uri(url);
Console.WriteLine($"AbsolutePath: {uri.AbsolutePath}");
Console.WriteLine($"AbsoluteUri: {uri.AbsoluteUri}");
Console.WriteLine($"DnsSafeHost: {uri.DnsSafeHost}");
Console.WriteLine($"Fragment: {uri.Fragment}");
Console.WriteLine($"Host: {uri.Host}");
Console.WriteLine($"HostNameType: {uri.HostNameType}");
Console.WriteLine($"IdnHost: {uri.IdnHost}");
Console.WriteLine($"IsAbsoluteUri: {uri.IsAbsoluteUri}");
Console.WriteLine($"IsDefaultPort: {uri.IsDefaultPort}");
Console.WriteLine($"IsFile: {uri.IsFile}");
Console.WriteLine($"IsLoopback: {uri.IsLoopback}");
Console.WriteLine($"IsUnc: {uri.IsUnc}");
Console.WriteLine($"LocalPath: {uri.LocalPath}");
Console.WriteLine($"OriginalString: {uri.OriginalString}");
Console.WriteLine($"PathAndQuery: {uri.PathAndQuery}");
Console.WriteLine($"Port: {uri.Port}");
Console.WriteLine($"Query: {uri.Query}");
Console.WriteLine($"Scheme: {uri.Scheme}");
Console.WriteLine($"Segments: {string.Join(", ", uri.Segments)}");
Console.WriteLine($"UserEscaped: {uri.UserEscaped}");
Console.WriteLine($"UserInfo: {uri.UserInfo}");

AbsolutePath: /Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans
AbsoluteUri: https://user:password@www.contoso.com:80/Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans
DnsSafeHost: www.contoso.com
Fragment: 
Host: www.contoso.com
HostNameType: Dns
IdnHost: www.contoso.com
IsAbsoluteUri: True
IsDefaultPort: False
IsFile: False
IsLoopback: False
IsUnc: False
LocalPath: /François/Paris & Orléans
OriginalString: https://user:password@www.contoso.com:80/Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans
PathAndQuery: /Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans
Port: 80
Query: 
Scheme: https
Segments: /, Fran%C3%A7ois/, Paris%20&%20Orl%C3%A9ans
UserEscaped: False
UserInfo: user:password


# IRI (International Resource Identifier)

Using [IRIs](https://www.w3.org/International/O-URL-and-ident.html) allows URLs to contain Unicode characters.

The existing Uri class was extended in .NET Framework v3.5, 3.0 SP1, and 2.0 SP1 to provide IRI support based on RFC 3987. 

In .NET Framework 4.5 and later versions, IRI is always enabled and can't be changed using a configuration option. 

Enabling IDN converts all Unicode labels in a domain name to their Punycode equivalents. Punycode names contain only ASCII characters and always start with the xn-- prefix. 

Noticed that the pynycode host name: `IdnHost: xn--wnu286bc9ckrd.google.com`

In [6]:
var url = "https://我的網站.google.com/Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans";
Uri uri = new Uri(url);
Console.WriteLine($"AbsolutePath: {uri.AbsolutePath}");
Console.WriteLine($"AbsoluteUri: {uri.AbsoluteUri}");
Console.WriteLine($"DnsSafeHost: {uri.DnsSafeHost}");
Console.WriteLine($"Fragment: {uri.Fragment}");
Console.WriteLine($"Host: {uri.Host}");
Console.WriteLine($"HostNameType: {uri.HostNameType}");
Console.WriteLine($"IdnHost: {uri.IdnHost}");
Console.WriteLine($"IsAbsoluteUri: {uri.IsAbsoluteUri}");
Console.WriteLine($"IsDefaultPort: {uri.IsDefaultPort}");
Console.WriteLine($"IsFile: {uri.IsFile}");
Console.WriteLine($"IsLoopback: {uri.IsLoopback}");
Console.WriteLine($"IsUnc: {uri.IsUnc}");
Console.WriteLine($"LocalPath: {uri.LocalPath}");
Console.WriteLine($"OriginalString: {uri.OriginalString}");
Console.WriteLine($"PathAndQuery: {uri.PathAndQuery}");
Console.WriteLine($"Port: {uri.Port}");
Console.WriteLine($"Query: {uri.Query}");
Console.WriteLine($"Scheme: {uri.Scheme}");
Console.WriteLine($"Segments: {string.Join(", ", uri.Segments)}");
Console.WriteLine($"UserEscaped: {uri.UserEscaped}");
Console.WriteLine($"UserInfo: {uri.UserInfo}");

AbsolutePath: /Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans
AbsoluteUri: https://我的網站.google.com/Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans
DnsSafeHost: 我的網站.google.com
Fragment: 
Host: 我的網站.google.com
HostNameType: Dns
IdnHost: xn--wnu286bc9ckrd.google.com
IsAbsoluteUri: True
IsDefaultPort: True
IsFile: False
IsLoopback: False
IsUnc: False
LocalPath: /François/Paris & Orléans
OriginalString: https://我的網站.google.com/Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans
PathAndQuery: /Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans
Port: 443
Query: 
Scheme: https
Segments: /, Fran%C3%A7ois/, Paris%20&%20Orl%C3%A9ans
UserEscaped: False
UserInfo: 


# Security Concerns

[Security Considerations](https://docs.microsoft.com/en-us/dotnet/api/system.uri?view=net-6.0#security-considerations)

Because of security concerns, your application should use caution when accepting Uri instances from untrusted sources and with dontEscape set to true in the constructor. You can check a URI string for validity by calling the IsWellFormedOriginalString method.

In [7]:
string userInput = "https://user:password@www.contoso.com/Fran%C3%A7ois/Paris%20&%20Orl%C3%A9ans";

Uri baseUri = new Uri("https://user:password@www.contoso.com:80/François/Paris & Orléans");

if (!Uri.TryCreate(baseUri, userInput, out Uri newUri))
{
    Console.WriteLine("FAILED!!!, Invalid Input"); // Fail: invalid input.
}

if (!baseUri.IsBaseOf(newUri))
{
    Console.WriteLine("FAILED!!!, the Uri base has been modified"); // Fail: the Uri base has been modified - the created Uri is not rooted in the original directory.
}

FAILED!!!, the Uri base has been modified
