java.lang.String encodeForURL(java.lang.String input) throws EncodingException
Encode for use in a URL. This method performs URL encoding on the entire string.
For the docs the "URL encoding" is defined by referencing wikipedia !
http://en.wikipedia.org/wiki/Percent-encoding
Don't we have RFCs for this ?
Being curious what it really does ? Look in the code:
return java.net.URLEncoder.encode(input,
ESAPI.securityConfiguration().getCharacterEncoding());
What ? Read JavaDoc !
Translates a string into application/x-www-form-urlencoded format.This is not ment for building URLs but for encoding form data !
There is another JavaDoc:
The URLEncoder and URLDecoder classes can also be used,And another one:
but only for HTML form encoding,
which is not the same as the encoding scheme defined in RFC2396.
The recommended way to manage the encoding and decoding of URLs is to use URI
Reading URI docs you will learn about all deviations Java has from RFC2396.
javase/6/docs/api/java/net/URI.html
The OWASP JavaScript version of "the same" is even "better"
(I bet a beer, not producing the same results as Java code):
encodeForURL: function(sInput) {
return !sInput ? null : escape(sInput);
}
Reading MDC docs:
escape and unescape Functions
The escape and unescape functions do not work properly for non-ASCII characters
and have been deprecated. In JavaScript 1.5
and later, use encodeURI, decodeURI, encodeURIComponent, and decodeURIComponent.
Bad naming or ignorance ?
There is just small chance that authors realy ment to code"HTML form encoding" and not to solve URI building and encoding,
and that the method has just a bad name. I would suggest Encoder.encodeForHtmlForm
instead of misleading encodeForURL with even more confisung wiki link !
In the case OWASP really ment to solve
encoding for URI or http scheme URLs, there should be totaly
another code behind !!!!
If you really plan to encode URI components there is API needed to
encode path, path-segment, query, fragment with separate rules defined by
RFC (and I vote for the "new rfc3986" instead of buggy java implementation of old "RFC2396").
If you code or find rfc3986 compliant java uri implementation,
let me know,
until then I will not
replace my code for UNRELIABLE OWASP REFERENCE IMPLEMENTATION.
Strong suggestion again: search for "Jena IRI".
the encodeForURL method is intended to encode parameters that are part of a URL. This method is not for building a complete URI, and doing so is far beyond the scope of the method (and there are numerous *correct* ways to do so using only the core Java API)
ReplyDeleteFrom a security perspective, imagine the following scenario:
Code in page:
<% String myVariable = request.getParameter("myVariable"); %>
<a href="http://mysite.com/someaction?key=<%=myVariable%>">Link</a>
A blind man could spot the issue there from 100 miles away. Here you would use:
<% String myVariable = request.getParameter("myVariable"); %>
<a href="http://mysite.com/someaction?key=<%= ESAPI.encodeForURL(myVariable) %>">Link</a>
(This is a very dumbed down version to illustrate a single point)
This could be considered encoding form-data for a GET request, however, as evident by the code above, this is not at all a form generated request, but a dynamically built GET request with parameters being passed in that are subject to injection attacks if not properly escaped.
so consider this "bad naming",
ReplyDeletehowever you comment does not change anything on the fact that Java and JavaScript implementations are out of sync (produce different results).
1) whitespace (20) is encoded as %20 by escape and encodeUri and is encoded as + by URIEncoder
2) as mentioned escape is buggy and does not work uver 0xFF range producing %u0100 instead of %C4%80 produced by Java and encodeUriComponent
...
3) and of cource all 3 methods have different
ReplyDeletelists of encoded chars.
So what ?
are we trying to code something reasonable here
or just align JS code with silly Java code ?
in core Java API THERE IS NOT CORRECT NOR EASY WAY TO encode parts of URI, and it is shame that ESAPI API is ignorant to this fact, specially if URI and Path related issues are on top vuln. lists.
ReplyDeleteWe are currently evaluating this Spring API, and will publish results soon:
http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/web/util/UriUtils.html
Thank you for taking the time to provide us with your valuable information. We strive to provide our candidates with excellent care and we take your comments to heart.As always, we appreciate your confidence and trust in us
ReplyDeleteBest Devops online Training
Online DevOps Certification Course - Gangboard
Best Devops Training institute in Chennai
All are saying the same thing repeatedly, but in your blog I had a chance to get some useful and unique information, I love your writing style very much, I would like to suggest your blog in my dude circle, so keep on updates.
ReplyDeletepython Training in Chennai
python Training in Bangalore
python Training in Pune
Thanks For Sharing The Information The information Shared Is Very valuable Please keep updating us Time Just Went On reading The article Python Online Course AWS Online Course Devops Online Course DataScience Online Course
ReplyDeleteSuch a great information for blogger iam a professional blogger thanks…
ReplyDeleteStart your journey with SAP S4 HANA Simple Logistics Training and get hands-on Experience with 100% Placement assistance from experts Trainers @Softgen Infotech Located in BTM Layout Bangalore.
Thank you for some other informative blog. Where else could I get that type of information written in such an ideal means? I have a mission that I’m just now working on, and I have been at the look out for such information
ReplyDeletedevops training in chennai | devops training in anna nagar | devops training in omr | devops training in porur | devops training in tambaram | devops training in velachery
This comment has been removed by the author.
ReplyDeleteYou wrote a such a nice blog!! It is very useful for my future reference. All the info you shared with us are truly tremendous.
ReplyDeleteoracle training in chennai
oracle training in tambaram
oracle dba training in chennai
oracle dba training in tambaram
ccna training in chennai
ccna training in tambaram
seo training in chennai
seo training in tambaram
First i got a great blog .I will be interested in more similar topics. i see you got really very useful topics, i will be always checking your blog thanks.
ReplyDeletehadoop training in chennai
hadoop training in porur
salesforce training in chennai
salesforce training in porur
c and c plus plus course in chennai
c and c plus plus course in porur
machine learning training in chennai
machine learning training in porur
Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog
ReplyDeletejava training in chennai
java training in omr
aws training in chennai
aws training in omr
python training in chennai
python training in omr
selenium training in chennai
selenium training in omr
Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.
ReplyDeleteamazon web services aws training in chennai
microsoft azure training in chennai
workday training in chennai
android-training-in chennai
ios training in chennai
Excellent blog!!! I got to know more useful information by reading your blog. Thanks for posting this blog.
ReplyDeleteData Science Training In Bangalore
Best Data Science Training Institute in Bangalore
Wonderful post and more informative!keep sharing Like this!
ReplyDeletePHP Training in Bangalore
php classes in pune
Great post. Thanks for sharing such a useful blog.
ReplyDeleteRPA Training in T nagar
RPA Training in Chennai
Great post. keep sharing such a worthy information.
ReplyDeleteBlue Prism Training in Chennai
Blue Prism Online Training