What does a dangerous query string look like?

I want to see if my encoding is working however the example I made just reverts back to non encoded after it goes back to the page.

<a href="http://search.msn.com/results.aspx%3fq%3dIamBad">Click Here!</a>

Turns back into

<a href="htt开发者_运维知识库p://search.msn.com/results.aspx?q=IamBad">Click Here!</a>

Edit

UrlEncode Untrusted input is used in a URL (such as a value in a querystring) Click Here!

http://msdn.microsoft.com/en-us/library/aa973813.aspx

So my question is I am trying to see if something is not working right(ie why does it make the query string part look normal again).

Is it because the query string contains nothing really out of the ordinary. Or is something re encoding it back to its original form?

You simply do not redisplay inputs from a user that come in via a form submission or through the query string, either redisplaying it to that user directly or storing it in a database that would then display it to other users of the site.

Say you have a hyperlink like this

/default.aspx?message=%3cscript%3ealert('Hello+world')%3b%3c%2fscript%3e

What you do not want to do is this

string message = Request.QueryString["message"];
if (!string.IsNullOrEmpty(message))
    directlyDisplayedLiteral.Text = message; 

Because what would happen is that when that when the page loads, the user is going to see a message box pop up on screen. All this script produces is a stupid little message box, but it could be doing other malicious things to your users.

Instead, you want to encode the input before displaying it, so it becomes something harmless.

string message = Request.QueryString["message"];
if (!string.IsNullOrEmpty(message))
    directlyDisplayedLiteral.Text = Server.HtmlEncode(message); 

So all that happens is that <script>alert('Hello world');</script> is written to the screen, which is actually <script>alert('Hello world');</script> in HTML. There's no message box, no script actually executing, it's just benign text on a screen.

An example of a dangerous query string is below.

<a href="results.aspx?q=<script>alert('Attack')</script>">Click Here!</a>

What you really should be testing for isn't simply if the URL is encoded - but what happens when that attack is performed on your page.