You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Jim Manico (JIRA)" <ji...@apache.org> on 2012/05/09 22:44:00 UTC

[jira] [Commented] (SHIRO-360) Create UrlEncoder

    [ https://issues.apache.org/jira/browse/SHIRO-360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13271786#comment-13271786 ] 

Jim Manico commented on SHIRO-360:
----------------------------------

This same encoding function is necessary when trying to stop some
classes of XSS defense.

<a href="http://www.somesite.com/data?test=<%= URL ENCODE UNTRUSTED DATA
%>">Link</a>

And of course, adding a session ID to a URL is a security vulnerability
known as session rewriting and is not recommended. :)

Aloha,
Jim



-- 
Jim Manico

Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host

jim@owasp.org
www.owasp.org

                
> Create UrlEncoder
> -----------------
>
>                 Key: SHIRO-360
>                 URL: https://issues.apache.org/jira/browse/SHIRO-360
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Web
>            Reporter: Les Hazlewood
>             Fix For: 1.3.0
>
>
> To customize how URL encoding in a web app occurs, we should have a UrlEncoder component.  More specifically, this can be used to customize how JSESSIONID is appended to a URL (if at all, depending on security preferences).
> The solution could be resolved as follows:
> Create a new UrlEncoder interface:
> public interface UrlEncoder {
>     String encodeUrl(EncodeUrlRequest request);
> }
> The EncodeUrlRequest:
> public interface EncodeUrlRequest {
>     String getUrl();
>     HttpServletRequest getHttpServletRequest();
>     HttpServletResponse getHttpServletResponse();
>     ServletContext getServletContext();
> }
> Update WebEnvironment to have a new property:
> UrlEncoder getUrlEncoder();

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira