Vulnerability in EPiServer.Forms
I just noticed a problem with url's containing language specific characters like. We have a norwegian customer whos url contains the letters ø and æ. The url is enterd via a short string input box. Before the url is posted on the page it is checked and cleaned up and while debugging the characters are correctly spelled in the url but as soon as they get printed to the hyperlink in markup ø becomes %c3%b8 and æ beomces %c3%a6.
Is there any way to prevent this from happening?
If you are using the content as an URI it will probably be parsed using the .NET URI class. The default behaviour for this class is to not support IDN:s (Internationalized Domain Names) and IRI (International Resource Identifiers). You can configure this class to support IDN:s and IRI:s (http://msdn.microsoft.com/en-us/library/bb882553.aspx). I have not personally tested this but it would be interesting to know if this helps you.
It could also be good to know that EPiServer does not currently support IDN:s and IRI:s for built in functionality since were using custom URI classes that use the URI RFC which basicaly allows characters from the ASCII set.
RegardsLinus EkströmEPiServer Development Team
Thanks for the reply, Linus! Good to know!