Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to implement URL validation in application development for Windows XP or for Windows Server 2003

View products that this article applies to.


This article contains guidance for software developers who want to implement URL validation in applications for Windows XP or for Windows Server 2003. Specifically, this article discusses what an application must do to validate URLs before passing them to Windows for execution.

↑ Back to the top

More information

The Windows Shell32 ShellExecute function enables applications to pass URLs. Applications must be carefully designed based on the threat environment. This is true for any program that uses URL handling to accept untrusted data.

Before passing URLs that will be executed by Windows Shell32, an application should do the following:
  1. The application should call the SHParseDisplayName function together with the URI string.
  2. If step 1 is successful, the application should call the ShellExecuteEx function together with the SEE_MASK_INVOKEIDLIST flag and the pointer to an item identifier list (PIDL).

↑ Back to the top

Keywords: kbinfo, kbexpertiseadvanced, kbhowto, KB943522

↑ Back to the top

Article Info
Article ID : 943522
Revision : 3
Created on : 10/16/2007
Published on : 10/16/2007
Exists online : False
Views : 337