Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-5910

WidgetWorker.buildHyperlinkUrl generates invalid url when using certain sequences of characters

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Trunk
    • 14.12.01, 16.11.01
    • framework
    • None

    Description

      If you define a url with parameters or contains url encoded parameters, the output from WidgetWorker.buildHyperlinkUrl may be invalid. This is because of using StringUtil.defaultWebEncoder.canonicalize(localRequestName).

      eg
      abc=&or1=123 -> abc=?1=123
      abc=&to1=123 -> abc=&to1=123 (this one is fine)
      abc=&and1=123 -> abc=?1=123
      abc=&gtabc=123 -> abc=>abc=123

      The owasp HTMLEntityCodec seems to look for special sequences (or, and, gt, lt etc) and change them. This to me is invalid because url encoding and html encoding are different

      Why are the urls encoding the ampersands anyway? (String localRequestName = UtilHttp.encodeAmpersands(target).

      Attachments

        1. WidgetWorker.patch
          2 kB
          Gareth Carter

        Issue Links

          Activity

            People

              jacopoc Jacopo Cappellato
              gareth.carter Gareth Carter
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: