You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What steps will reproduce the problem? see sample code
String orig = " http://abc.com?custno=75&product=ANLYZR1"; String esapiDecode = ESAPI.encoder().decodeFromURL(orig);
System.out.println("ESAPI decode 2: " + esapiDecode); What is the expected output? What do you see instead? I expect the same url as the orig url to be presented .. Instead i see the following ESAPI decode 2: http://abc.com?custno=75?uct=ANLYZR1 notice the @prod got dropped and became ?uct What version of the product are you using? On what operating system? 2.0.1 Does this issue affect only a specified browser or set of browsers? All browsers affected Please provide any additional information below. What I have found if i change the product to pr8duct and i get the result as &pr8duct
I have narrowed it down to the Cannonilize method and especially the percentcodec
This is due to invalid expectations. Canonicalize is primarily designed to prevent multiple encoding attacks, and a URL with a query can easily be interpreted to be URL enocded WITH html entity encoding.
In the upcoming 2.x release, a new method in the validator class will correctly handle and process incoming URLs.
@xeno6696 Not, this isn't because of "invalid expectations"; rather it's because of a misunderstanding of what ESAPI's canonicalization does and how it interacts with output encoding. "Invalid expectations" are expecting the Cleveland Browns to win a Super Bowl in my lifetime. Sigh.
From vansu...@gmail.com on June 09, 2013 20:07:47
What steps will reproduce the problem? see sample code
String orig = " http://abc.com?custno=75&product=ANLYZR1"; String esapiDecode = ESAPI.encoder().decodeFromURL(orig);
System.out.println("ESAPI decode 2: " + esapiDecode); What is the expected output? What do you see instead? I expect the same url as the orig url to be presented .. Instead i see the following ESAPI decode 2: http://abc.com?custno=75?uct=ANLYZR1 notice the @prod got dropped and became ?uct What version of the product are you using? On what operating system? 2.0.1 Does this issue affect only a specified browser or set of browsers? All browsers affected Please provide any additional information below. What I have found if i change the product to pr8duct and i get the result as &pr8duct
I have narrowed it down to the Cannonilize method and especially the percentcodec
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=301
The text was updated successfully, but these errors were encountered: