copfee / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 1 forks source link

JavascriptCodec is removing all backslashes #252

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. String raw ="C:\\Documents and Settings\\Mario\\Desktop\\";
2. System.out.println(ESAPI.encoder().canonicalize(raw));

What is the expected output? What do you see instead?

I expect the same as the input String because the input does not contain any 
javascript encoded char such as \r or \t

Instead I see this in the console :

C:Documents and SettingsMarioDesktop\

What version of the product are you using? On what operating system?

ESAPI java 2.0.1 on Windows, Java 5

Does this issue affect only a specified browser or set of browsers?

Nope.

Please provide any additional information below.

I've made a modification to JavascriptCodec, at the end of the method 
decodeCharacter() replacing :

// ignore the backslash and return the character
return second;

by :

// not an encoded character, return it
input.reset();
return null;

Original issue reported on code.google.com by david.al...@hraccess.com on 15 Nov 2011 at 9:31

GoogleCodeExporter commented 9 years ago
This needs to be thought out and verified to not have any adverse effects.

Original comment by chrisisbeef on 18 Sep 2014 at 8:44