ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6930/why.adoc

23 lines
2.0 KiB
Plaintext
Raw Permalink Blame History

== Why is this an issue?
https://learn.microsoft.com/en-us/aspnet/core/mvc/controllers/routing[Routing] in ASP.NET MVC maps https://learn.microsoft.com/en-us/aspnet/core/mvc/controllers/actions#what-is-a-controller[controllers] and https://learn.microsoft.com/en-us/aspnet/core/mvc/controllers/actions#defining-actions[actions] to paths in request https://en.wikipedia.org/wiki/Uniform_Resource_Identifier[URIs].
In the former syntax specification of URIs, backslash characters (`\`) were not allowed at all (see https://datatracker.ietf.org/doc/html/rfc2396/#section-2.4.3[section "2.4.3. Excluded US-ASCII Characters" of RFC 2396]).
While the current specification (https://datatracker.ietf.org/doc/html/rfc3986[RFC 3986]) doesn't include anymore the "Excluded US-ASCII Characters" section, most URL processors still don't support backslash properly.
For instance, a backslash in the https://datatracker.ietf.org/doc/html/rfc3986#section-3.3["path" part] of a https://en.wikipedia.org/wiki/URL#Syntax[URL] is automatically converted to a forward slash (`/`) both by Chrome and Internet Explorer (see https://stackoverflow.com/q/10438008[here]).
As an example, `\Calculator\Evaluate?expression=3\4` is converted on the fly into `/Calculator/Evaluate?expression=3\4` before the HTTP request is made to the server.
While backslashes are allowed in the "query" part of a URL, and it's common to have them as part of a complex query expression, the route of a controller is always part of the "path".
That is why the use of backslashes in controller templates should be avoided in general.
=== What is the potential impact?
A backslash in the route pattern of a controller would only make sense if the developer intended the backslash in the route to be explicitly escaped by the user, using https://en.wikipedia.org/wiki/Percent-encoding#Character_data[`%5C`].
For example, the route `Something\[controller]` for the `HomeController` would need to be called as `Something%5CHome`.
The validity of such a scenario is unlikely and the resulting behavior is surprising.
Reference in New Issue View Git Blame Copy Permalink