这是我编写和验证网址的方法。但这个缺陷仍然存在于Response.Redirect();
的两行中public static string GetValidLocalUrl(string url)
{
bool isLocal = false;
if (string.IsNullOrEmpty(url))
{
}
else
{
isLocal = !url.StartsWith("http:", StringComparison.OrdinalIgnoreCase)
&& !url.StartsWith("https:", StringComparison.OrdinalIgnoreCase)
&& Uri.IsWellFormedUriString(url, UriKind.Relative);
}
if (isLocal)
return url;
else
return string.Empty;
}
if (Request.QueryString["selectedPersonID"] == null )
Response.Redirect(Functions.GetValidLocalUrl("RecordEnhancement.aspx?recordID=" + qRecord.concatRecordID + "&selectedWorkplaceID=" + WorkplaceID));
else
Page.Response.Redirect(Functions.GetValidLocalUrl("RecordEnhancement.aspx?recordID=" + qRecord.concatRecordID + "&selectedWorkplaceID=" + WorkplaceID+ "&selectedPersonID=" + Request.QueryString["selectedPersonID"]));
扫描仍然存在缺陷
Response.Redirect(Functions.GetValidLocalUrl("RecordEnhancement.aspx?recordID=" + qRecord.concatRecordID + "&selectedWorkplaceID=" + WorkplaceID));
Page.Response.Redirect(Functions.GetValidLocalUrl("RecordEnhancement.aspx?recordID=" + qRecord.concatRecordID + "&selectedWorkplaceID=" + WorkplaceID+ "&selectedPersonID=" + Request.QueryString["selectedPersonID"]));