Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-5910

WidgetWorker.buildHyperlinkUrl generates invalid url when using certain sequences of characters

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Trunk
    • Fix Version/s: 14.12.01, 16.11.01
    • Component/s: framework
    • Labels:
      None

      Description

      If you define a url with parameters or contains url encoded parameters, the output from WidgetWorker.buildHyperlinkUrl may be invalid. This is because of using StringUtil.defaultWebEncoder.canonicalize(localRequestName).

      eg
      abc=&or1=123 -> abc=?1=123
      abc=&to1=123 -> abc=&to1=123 (this one is fine)
      abc=&and1=123 -> abc=?1=123
      abc=&gtabc=123 -> abc=>abc=123

      The owasp HTMLEntityCodec seems to look for special sequences (or, and, gt, lt etc) and change them. This to me is invalid because url encoding and html encoding are different

      Why are the urls encoding the ampersands anyway? (String localRequestName = UtilHttp.encodeAmpersands(target).

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              jacopoc Jacopo Cappellato
              Reporter:
              gareth.carter Gareth Carter

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment