hsetiawan / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Canonicalize function for the DefaultEncoder class does not handle URLs properly #258

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Run the following code using the standard DefaultEncoder class: 

String paramValue = 
"http://localhost:8226/InfoCenter/index?page=answers&type=search&searchid=132567
6169437&newsearch=y&question_box=top&quote=y";
String result = ESAPI.encoder().canonicalize(paramValue, false);
System.out.println(result);

2. The result returned is:

http://localhost:8226/InfoCenter/index?page=answers&type=search&searchid=1325676
169437≠wsearch=y&question_box=top"e=y

3. Note that the &ne and &quot have been changed. 

What is the expected output? What do you see instead?
I would expect the URL to be returned unchanged.

What version of the product are you using? On what operating system?
2.0.1.

Does this issue affect only a specified browser or set of browsers?
Not browser specific.

Please provide any additional information below.
I suspect it should check for the terminating ; character before attempting 
HTML entity substitution. 

Original issue reported on code.google.com by gurna...@gmail.com on 4 Jan 2012 at 2:06

GoogleCodeExporter commented 9 years ago
I wonder if this could be given a higher priority. I have a parameter named 
geoCode which will be in the URL as &geoCode=bla. In this case also the &ge 
gets replaced. 

Original comment by jacob.ma...@gmail.com on 2 Apr 2013 at 7:07

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
this is still happening in 2.1.0 version, any workarounds?

Thanks. 
-El

Original comment by elber....@gmail.com on 22 Sep 2014 at 5:33

GoogleCodeExporter commented 9 years ago
System.out.println(ESAPI.encoder().canonicalize("e1=1&e2=1")); //works fine
        System.out.println(ESAPI.encoder().canonicalize("productId1=1&productId2=1")); //productId1=1∏uctId2=1 will be returned 2nd p is decoded to ∏

Original comment by elber....@gmail.com on 22 Sep 2014 at 6:02