You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2017/11/15 18:05:42 UTC

Re: svn commit: r1815192 - /ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apa che/ofbiz/securityext/login/LoginEvents.java

Le 14/11/2017 à 10:33, jleroux@apache.org a écrit :
> Author: jleroux
> Date: Tue Nov 14 09:33:19 2017
> New Revision: 1815192
>
> URL:http://svn.apache.org/viewvc?rev=1815192&view=rev
> Log:
> Improved: Fixing defects reported by FindBugs, package
> org.apache.ofbiz.securityext.login.
> (OFBIZ-9637)
>
> No functional change.
>
> I prefer to use URLEncoder.encode(reqParam, "UTF-8") rather than ESAPI HTML
> encoder for 3 reasons:
> *  URLEncoder.encode() is sufficient to answer to HTTP response splitting using
>    	Percent-encoding (aka  URL encoding)
> *  Consistent and simpler code using basic Java
> *  Using "UTF-8" is (more than) recommended, see
> 	https://docs.oracle.com/javase/8/docs/api/java/net/URLEncoder.html
> 	
> I will check what using ESAPI HTML encoder entails. As JavaDOc says "Not doing
> so  may introduce incompatibilities." We have 30+ cases, they are maybe OK, but
> we need to check...
Among the 46 cases, I see no problems since it's only used in the context of widgets (mostly content wrappers) and only for HTML, not request parameters.

Jacques