One of my REST APIs has a query parameter called "partners", which is a list of integers, so you can specify multiple values ββin the URL. To prevent XSS attacks, I remove malicious content in the input using ESAPI. Here is the problem:
I noticed that the cannonicalize method for the ESAPI encoder (which uses the default codecs: HTMLEntityCodec, PercentCodec, JavaScriptCodec) changes the values ββof the request parameters because it considers & p or & pa to be some encoding. See examples below.
Sort of
http:
It works as expected.
On the other hand, something like
http:
Entrance after canonization becomes
`pidentity=1Οdentity=2`
, , .
URL-
http:
partner=1βrtner=2
& pa 'β'.
, , , , (, , ). - , ? , XSS , .