Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-5910

WidgetWorker.buildHyperlinkUrl generates invalid url when using certain sequences of characters

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Trunk
    • Fix Version/s: 14.12.01, 16.11.01
    • Component/s: framework
    • Labels:
      None

      Description

      If you define a url with parameters or contains url encoded parameters, the output from WidgetWorker.buildHyperlinkUrl may be invalid. This is because of using StringUtil.defaultWebEncoder.canonicalize(localRequestName).

      eg
      abc=&or1=123 -> abc=?1=123
      abc=&to1=123 -> abc=&to1=123 (this one is fine)
      abc=&and1=123 -> abc=?1=123
      abc=&gtabc=123 -> abc=>abc=123

      The owasp HTMLEntityCodec seems to look for special sequences (or, and, gt, lt etc) and change them. This to me is invalid because url encoding and html encoding are different

      Why are the urls encoding the ampersands anyway? (String localRequestName = UtilHttp.encodeAmpersands(target).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jacopoc Jacopo Cappellato
                Reporter:
                gareth.carter Gareth Carter
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: