Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue with decodeFromURL method in the DefaultEncoder #307

Closed
meg23 opened this issue Nov 13, 2014 · 3 comments
Closed

Issue with decodeFromURL method in the DefaultEncoder #307

meg23 opened this issue Nov 13, 2014 · 3 comments

Comments

@meg23
Copy link

meg23 commented Nov 13, 2014

From vansu...@gmail.com on June 09, 2013 20:07:47

What steps will reproduce the problem? see sample code
String orig = " http://abc.com?custno=75&product=ANLYZR1"; String esapiDecode = ESAPI.encoder().decodeFromURL(orig);
System.out.println("ESAPI decode 2: " + esapiDecode); What is the expected output? What do you see instead? I expect the same url as the orig url to be presented .. Instead i see the following ESAPI decode 2: http://abc.com?custno=75?uct=ANLYZR1 notice the @prod got dropped and became ?uct What version of the product are you using? On what operating system? 2.0.1 Does this issue affect only a specified browser or set of browsers? All browsers affected Please provide any additional information below. What I have found if i change the product to pr8duct and i get the result as &pr8duct

I have narrowed it down to the Cannonilize method and especially the percentcodec

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=301

@xeno6696
Copy link
Collaborator

This is due to invalid expectations. Canonicalize is primarily designed to prevent multiple encoding attacks, and a URL with a query can easily be interpreted to be URL enocded WITH html entity encoding.

In the upcoming 2.x release, a new method in the validator class will correctly handle and process incoming URLs.

@kwwall
Copy link
Contributor

kwwall commented Jul 20, 2017

@xeno6696 Not, this isn't because of "invalid expectations"; rather it's because of a misunderstanding of what ESAPI's canonicalization does and how it interacts with output encoding. "Invalid expectations" are expecting the Cleveland Browns to win a Super Bowl in my lifetime. Sigh.

@xeno6696
Copy link
Collaborator

#Bears2018 :-D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants