xeno6696
commented
3 months ago This is working as designed. Modern browsers all render HTML entities without the semicolon, and we have to adhere to that least common denominator.
Closed tusharkumawat closed 3 months ago
xeno6696
commented
3 months ago This is working as designed. Modern browsers all render HTML entities without the semicolon, and we have to adhere to that least common denominator.
xeno6696
commented
3 months ago What this suggests to me is that you're validating a URL, if you're trying to canonicalize a URL, use the appropriate method, Encoder.getCanonicalizedURI(URI)
xeno6696
commented
3 months ago Sorry, meant to close this as won't fix.
Attempting to enforce the semicolon will open your application up to XSS attacks at minimum, possibly worse.
kwwall
commented
3 months ago Actually, I would have closed this as a duplicate of #827, which was closed for the same reason. You can find a more detailed explanation for our decision to mark this as 'wontfix" there. In reality, it's not a bug, it's a feature. If anything, the bug is that we need better Javadoc to call this out because this is not the first time this has come up.
Describe the bug
ESAPI.encoder().canonicalize() converts "&or" or similar strings without having trailing semicolon as logical operator. Similar issue is coming with "&sub". Example string "encoding=UTF8&origin=xyz&subject=CS" is getting canonicalized into "encoding=UTF8∨igin=xyz⊂ject=CS".
Specify what ESAPI version(s) you are experiencing this bug in
org.owasp.esapi:esapi:2.5.1.0
To Reproduce
ESAPI.encoder().canonicalize("encoding=UTF8&origin=xyz&subject=CS") returns "encoding=UTF8∨igin=xyz⊂ject=CS".
Expected behavior
ESAPI.encoder().canonicalize("encoding=UTF8&origin=xyz&subject=CS") should return "encoding=UTF8&origin=xyz&subject=CS".
ESAPI.encoder().canonicalize("encoding=UTF8∨igin=xyz⊂ject=CS") should return "encoding=UTF8∨igin=xyz⊂ject=CS".
Platform environment (please complete the following information)