Encode UserName value in UriBuilder (Issue #74662)

[cdbullard]

Fix #74662

Adding private method EncodeUserName to replace any problematic characters "/" / "\" / "?" / "#" / "@" with their appropriate values to prevent throwing a UriFormatException.

The code from MihaZupan's comment on this issue was implemented for this fix with minor changes.

[dnfadmin]

All CLA requirements met.

[ghost]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

#74662

Adding private method EncodeUserName to replace any problematic characters "/" / "\" / "?" / "#" / "@" with their appropriate values to prevent throwing a UriFormatException.

The code from MihaZupan's comment on this issue was implemented for this fix with minor changes.

Author:	cdbullard
Assignees:	-
Labels:	area-System.Net, community-contribution
Milestone:	-

[MihaZupan]

Thanks @cdbullard!

Could you please extend this change to also include the Password property, and also add some tests for these cases?

[MihaZupan]

Thanks!

[skyoxZ]

This could be a break change.

Consider if users find UriBuilder.Uri.ToString() is buggy so they write a helper ToFullEncodedString as below:

var builder = new UriBuilder("https://www.microsoft.com")
{
    UserName = "mallory@hackers.net",
    Password = "hunter2",
};
Console.WriteLine(builder.ToFullEncodedString());

public static class UriBuilderExtension
{
    public static string ToFullEncodedString(this UriBuilder builder)
    {
        string plainUserName = builder.UserName;
        builder.UserName = System.Web.HttpUtility.UrlEncode(plainUserName);
        string result = builder.Uri.ToString();
        builder.UserName = plainUserName;
        return result;
    }
}

[MihaZupan]

I suppose it's possible.

We can avoid taking that risk by deferring the encoding to the ToString instead of the setters.

runtime/src/libraries/System.Private.Uri/src/System/UriBuilder.cs

Lines 344 to 350 in 87f66a7

	vsb.Append(username);
	string password = Password;
	if (password.Length != 0)
	{
	vsb.Append(':');
	vsb.Append(password);

[skyoxZ]

And maybe : should also be encoded there.

[MihaZupan]

I would avoid changing : for now. Uri doesn't enforce the exact format of UserInfo.
That is, new Uri("http://name:::password@host/").UserInfo is valid and changing it would be a breaking change.

[cdbullard]

Thanks for the feedback--I have pushed a change that I believe will address this by moving the EncodeUserInfo call to the ToString() method per MihaZupan's comment, and also added a new unit test for this situation. Please let me know if any other changes should be made, thank you!

[MihaZupan]

Test failure is #74795