Description
From [email protected] on May 15, 2010 21:42:05
What steps will reproduce the problem? 1. Wrap a request that contains a % escape in the query string
2. Call getQueryString()
3. note that percent escapes have been unescaped What is the expected output? What do you see instead? This is debatable. The problem here is that unescaping % changes the
meaning of the query string. In normal form encoding
name1=value1&name2=value2, equals and ampersand must be escaped in names
and values. However, the unescaping that getQueryString is performing would
cause the values not to parse correctly. Please use labels and text to provide additional information. It needs to be decided what is best to do here. The purpose of this routine
makes canonicalization and validation difficult at best because it bypasses
the normal decoding into parameters that is done internally by the request.
I have seen urls with other meta characters in the query string than those
done for form encoding though I don't know what the specification says
about such.
My current thought on the issue is that this routine is generally expected
to return a raw value. As such it would probably be best just to validate
that the characters contained therein are valid characters for a query
string and not go farther. I believe this would just be URL chars without
the '#' but I would need to test.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=125