Invalid Urls incorrectly handled by Script.Include?

Topics: Core
Oct 12, 2012 at 12:08 PM

Hi,

I think I may have spotted a small logic issue in the Script.Include functionality

 private static string FixPath(string resourcePath, string relativeFromPath) {
            if (!String.IsNullOrEmpty(resourcePath) && !VirtualPathUtility.IsAbsolute(resourcePath) && !Uri.IsWellFormedUriString(resourcePath, UriKind.Absolute)) {
                // appears to be a relative path (e.g. 'foo.js' or '../foo.js', not "/foo.js" or "http://..")
                if (String.IsNullOrEmpty(relativeFromPath)) {
                    throw new InvalidOperationException("ResourcePath cannot be relative unless a base relative path is also provided.");
                }
                resourcePath = VirtualPathUtility.ToAbsolute(VirtualPathUtility.Combine(relativeFromPath, resourcePath));
            }
            return resourcePath;
        }

If you provide a url that has an invalid part to the query string, the logic of the method "FixPath" believes that is is a relative path.

For example "http://www.test.com?a=blah blah blah" will provide true for the if statement, and drop into the fixing part of the method. In this case it would not be expected that the Url be rewritten (its a different discussion to say that the url is invalid according to html spec. This then means that the FixPAth method throughs an exception and rendering is halted entirely

My believe is that the test url listed should not be affected by the fix method, and therefore rendered as is to the page (flaws and all).

If there is general agreement on this I'll raise it as an issue on the list.

cheers,

Paul

Coordinator
Oct 12, 2012 at 5:45 PM

File a bug and provide a patch then, but that seems very low priority as the workaround is not to use invalid URLs in your code. As far as I can tell this can't be hit by the user unless the developer makes a mistake.