search

diegomvh / angular-odata

Client side OData typescript library for Angular
https://www.npmjs.com/package/angular-odata
MIT License
46 stars 14 forks source link

Semicolons should be encoded as %3B ? #82

Closed broomfn closed 1 year ago

broomfn commented 1 year ago

There seems to be some confusion as to whether ; is a valid URL character or should be encoded:

https://github.com/traefik/traefik/issues/9164

It all seems to be caused by this security issue:

https://www.oxeye.io/resources/golang-parameter-smuggling-attack

Perhaps an option to encode semicolons as %3B would be useful?

diegomvh commented 1 year ago

Hi @broomfn

The url encoding uses the angular codec. Maybe create your own implementation of HttpParameterCodec

https://github.com/angular/angular/blob/6f5dabe0d25a5660b7c3001041449b4622dd8924/packages/common/http/src/params.ts#L108

broomfn commented 1 year ago

Many thanks @diegomvh , that's very helpful, I'll take a look at that, cheers 👍