[
https://issues.apache.org/jira/browse/OFBIZ-5910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14318692#comment-14318692 ]
Jacopo Cappellato commented on OFBIZ-5910:
------------------------------------------
I agree; the approach to XSS prevention we are implementing is too coarse and we should fine tune it; a good reference is the following:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet> WidgetWorker.buildHyperlinkUrl generates invalid url when using certain sequences of characters
> -----------------------------------------------------------------------------------------------
>
> Key: OFBIZ-5910
> URL:
https://issues.apache.org/jira/browse/OFBIZ-5910> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Trunk
> Reporter: Gareth Carter
> Assignee: Jacques Le Roux
> Attachments: WidgetWorker.patch
>
>
> If you define a url with parameters or contains url encoded parameters, the output from WidgetWorker.buildHyperlinkUrl may be invalid. This is because of using StringUtil.defaultWebEncoder.canonicalize(localRequestName).
> eg
> abc=&or1=123 -> abc=?1=123
> abc=&to1=123 -> abc=&to1=123 (this one is fine)
> abc=&and1=123 -> abc=?1=123
> abc=&gtabc=123 -> abc=>abc=123
> The owasp HTMLEntityCodec seems to look for special sequences (or, and, gt, lt etc) and change them. This to me is invalid because url encoding and html encoding are different
> Why are the urls encoding the ampersands anyway? (String localRequestName = UtilHttp.encodeAmpersands(target);).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
Feb 12, 2015; 6:18pm
