I found a security hole in an asp.net app where I can manipulate the NavigateUrl value for XSS. I've tried HttpUtility.UrlEncode() but it does not work. Perhaps I am doing it incorrectly or there is a better way?
//Original vulnerable link:<asp:HyperLink ID="HyperLink1" NavigateUrl='<%# Request["Page"] + DataBinder.Eval(Container.DataItem, "ID1", "?1ID={0}") + DataBinder.Eval(Container.DataItem, "NAME1", "&name={0}") %>' Text='<%# DataBinder.Eval(Container.DataItem, "NAME1")%>' Runat="server" />
//Failed Attempt at Encoding
<asp:HyperLink ID="HyperLink1" NavigateUrl='<%# Request["Page"] + HttpUtility.UrlEncode(DataBinder.Eval(Container.DataItem, "ID1", "?1ID={0}")) + HttpUtility.UrlEncode(DataBinder.Eval(Container.DataItem, "NAME1", "&name={0}")) %>' Text='<%# DataBinder.Eval(Container.DataItem, "NAME1")%>' Runat="server" />Thanks,
cj