AntiXss.UrlEncode vs. AntiXss.HtmlAttributeEncode usage in link (a href)

Question

According to old AntiXss article on MSDN AntiXss.UrlEncode is used to encode link href (Untrusted-input in the following example):

<a href="http://search.msn.com/results.aspx?q=[Untrusted-input]">Click Here!</a>

My understanding was, that UrlEncode should be used only when setting something to URL, like when setting document.location with JS. So why don't I use HtmlAttributeEncode in the previous example to encode [Untrusted-input]? On the other hand is there a security flaw if I use UrlEncode to encode HTML attributes like in the above sample?

Answer 1

Url Encode encodes URL parameters for use in anchor tags.

Html Attribute encode encodes things for use in general HTML attributes.

Both encoding types vary - unsafe characters in HTML attribute encoding will be turned into a &xxx; form, in URL encoding they'll turn into %xxx. Whilst it's probably unlikely getting it wrong would cause a security problem your data wouldn't be properly rendered in the browser, or understood in a request.

(Indeed Url encoding is probably going to change because of an incompatibility with older browsers, and HTML Encoding will change in the next CTP drop to allow for safe listing of particular Unicode ranges).