ESAPI canonicalize malforming url

Question

ESAPI canonicalize malforming url

We have an application that accepts URLs from users. This data needs to be verified, and for this purpose we use ESAPI. However, we are struggling with URLs containing ampersands.

The problem occurs when ESAPI canonicalizes data before validation. & pid = 123 in the url turns into πd = 123, for example. Since π is not white, verification is not performed.

I tried to encode it, but ESAPI is smarter than that and does canonicalization to avoid double encoding and mixed encoding. I'm a little here, and I'm not sure how to proceed.

+2

java validation owasp canonicalization esapi

user2754648 Apr 24 '14 at 11:35

source share

2 answers

. \fgdf\gghfh\fgh\dff canonicalize :

1: canonicalize (string) → INTRUSION - (2x) , \fgdf\gghfh\fgh\dff

2: canonicalize (string, false) → input = fgdfgghfhfghdff ? .

- . :

    value = ESAPI.encoder().encodeForURL(value);
    value = value.replaceAll("", "");
    isSafe = validator.isValidInput("APPNAME", value, "URLSTRING", 255, true, false);

false , .

, .

+1

Sri 28 . '14 15:14

avgvstvs · Accepted Answer · 2014-05-11T22:32:22+0000

ESAPI. , , , OP , , java.net.URI javax.ws.rs.core.UriBuilder / URL-, , URL-. . , , , .

ESAPI canonicalize malforming url

More articles: