You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Xin Wang (Jira)" <ji...@apache.org> on 2021/06/05 02:25:00 UTC
[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded
textarea data after submission
[ https://issues.apache.org/jira/browse/OFBIZ-12249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17357741#comment-17357741 ]
Xin Wang commented on OFBIZ-12249:
----------------------------------
After some investigation, I found that it is altered by UtilHttp.canonicalizeParameter, which unescaped the encoded input.
Regarding to preventing XSS attacks, I think we should rely on output encoding for free-form text input.
Following are some discussions about input sanitization and output encoding:
https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
https://security.stackexchange.com/questions/95325/input-sanitization-vs-output-sanitization
> Unexpected decoding of url encoded textarea data after submission
> ------------------------------------------------------------------
>
> Key: OFBIZ-12249
> URL: https://issues.apache.org/jira/browse/OFBIZ-12249
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: Trunk
> Reporter: Xin Wang
> Assignee: Jacques Le Roux
> Priority: Major
>
> When trying to add a note to WorkEffort entity, I found that url encoded characters are unescaped, which is not expected.
> e.g.:
> 1. Go to page: https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01
> 2. Add a note with content: https://example.com/a%20link
> 3. After submission, it will turned to be: https://example.com/a link
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)