You are currently offline, waiting for your internet to reconnect

How to implement URL validation in application development for Windows XP or for Windows Server 2003

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

SUMMARY
This article contains guidance for software developers who want to implement URL validation in applications for Windows XP or for Windows Server 2003. Specifically, this article discusses what an application must do to validate URLs before passing them to Windows for execution.
MORE INFORMATION
The Windows Shell32 ShellExecute function enables applications to pass URLs. Applications must be carefully designed based on the threat environment. This is true for any program that uses URL handling to accept untrusted data.

Before passing URLs that will be executed by Windows Shell32, an application should do the following:
  1. The application should call the SHParseDisplayName function together with the URI string.
  2. If step 1 is successful, the application should call the ShellExecuteEx function together with the SEE_MASK_INVOKEIDLIST flag and the pointer to an item identifier list (PIDL).
Properties

Article ID: 943522 - Last Review: 10/16/2007 22:00:36 - Revision: 1.2

  • Microsoft Windows XP Tablet PC Edition 2005
  • Microsoft Windows XP Media Center Edition 2005
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • kbinfo kbexpertiseadvanced kbhowto KB943522
Feedback