[W3af-develop] 1.0-rc3: URL Encoding/Decoding

Thu, 01 Apr 2010 07:13:32 -0700 

Hi,

first of all: please describe undoubtly in the "Encode/Decode" window that
all characters keyed in or pasted are UTF-8.
This is very important if someon tries to copy&paste data from/to browsers
which use UCS-2.

Said this, here're some oddities you'll stumble over:

1. in the Encode area type
        €uro
   (where the first character is the Euro currency sign)
   then use URL Encode and it correctly encodes to
        %E2%82%ACuro

   Now try to URL Decode, and you get
        \xe2\x82\xacuro

   Is this a bug or a feature?
   It's neither! But you need to know what w3af's en-/decoding does. Without
   that knowledge I'd classify it as bug. That's what most user would belief
   also, I assume.

   ==> See my initial paragraph: just tell the user what the used charset is,
       then all such questions are illegal ;-)
   ==> Otherwise implement "URL Decode (UTF-8)" which should return €uro again.


2. same problem as 1. applies to Base64 Encode and then Base64 Decode


3. in the Decode area type
        €uro
   then HTML unescape and you get
        \xe2\x82\xacuro

   Similar problem as 1. above. But I'd consider this a bug in w3af.

   Same applies to
        €uro


4. in the Encode area type
        €uro
   then HTML Escape it and you get
        €uro

   This is a bug too.


5. UTF-8 Encoding return the same as URL Encoding
   Do I miss something here?
   Otherwise I'd rename UTF-8 Encoding to UTF-8 Encoding (URL).


6. Microsoft %U Encoding for
        €uro
   returns
        %UE282AC%U0075%U0072%U006F

   I'm not sure if %UE282AC is really accepted by Micro$oft.
   Can someone please check.


7. MySQL Encoding and MSSQL Encoding
   use Euro again as string, I doubt that the result is correct.


Sorry for being that pedantic;-)
Achim
        


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
W3af-develop mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to