[ https://issues.apache.org/jira/browse/OFBIZ-5910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14318692#comment-14318692 ]
Jacopo Cappellato commented on OFBIZ-5910: ------------------------------------------ I agree; the approach to XSS prevention we are implementing is too coarse and we should fine tune it; a good reference is the following: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet > WidgetWorker.buildHyperlinkUrl generates invalid url when using certain > sequences of characters > ----------------------------------------------------------------------------------------------- > > Key: OFBIZ-5910 > URL: https://issues.apache.org/jira/browse/OFBIZ-5910 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: Trunk > Reporter: Gareth Carter > Assignee: Jacques Le Roux > Attachments: WidgetWorker.patch > > > If you define a url with parameters or contains url encoded parameters, the > output from WidgetWorker.buildHyperlinkUrl may be invalid. This is because of > using StringUtil.defaultWebEncoder.canonicalize(localRequestName). > eg > abc=&or1=123 -> abc=?1=123 > abc=&to1=123 -> abc=&to1=123 (this one is fine) > abc=&and1=123 -> abc=?1=123 > abc=&gtabc=123 -> abc=>abc=123 > The owasp HTMLEntityCodec seems to look for special sequences (or, and, gt, > lt etc) and change them. This to me is invalid because url encoding and html > encoding are different > Why are the urls encoding the ampersands anyway? (String localRequestName = > UtilHttp.encodeAmpersands(target);). -- This message was sent by Atlassian JIRA (v6.3.4#6332)