OFBiz › OFBiz - Notifications

[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Nicolas Malin (Jira)

[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission

[ https://issues.apache.org/jira/browse/OFBIZ-12249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17357741#comment-17357741 ]

Xin Wang commented on OFBIZ-12249:
----------------------------------

After some investigation, I found that it is altered by UtilHttp.canonicalizeParameter, which unescaped the encoded input.

Regarding to preventing XSS attacks, I think we should rely on output encoding for free-form text input.

Following are some discussions about input sanitization and output encoding:

https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
https://security.stackexchange.com/questions/95325/input-sanitization-vs-output-sanitization

> Unexpected decoding of url encoded textarea data after submission
> ------------------------------------------------------------------
>
> Key: OFBIZ-12249
> URL: https://issues.apache.org/jira/browse/OFBIZ-12249
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: Trunk
> Reporter: Xin Wang
> Assignee: Jacques Le Roux
> Priority: Major
>
> When trying to add a note to WorkEffort entity, I found that url encoded characters are unescaped, which is not expected.
> e.g.:
> 1. Go to page: https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01
> 2. Add a note with content: https://example.com/a%20link
> 3. After submission, it will turned to be: https://example.com/a link
>
>

--
This message was sent by Atlassian Jira
(v8.3.4#803005)