ESAPI规范化格式错误的网址 [英] ESAPI canonicalize malforming url

问题描述

我们有一个接受用户URL的应用程序。此数据需要验证，我们为此使用了ESAPI。但是，我们正在努力应对包含与号的网址。

We have an application that accepts URLs from users. This data needs validation, and we're using ESAPI for this purpose. However, we're struggling with URLs containing ampersands.

当ESAPI在验证之前将数据规范化时，就会出现问题。 URL中的& pid = 123例如变成πd= 123。由于π未列入白名单，因此验证失败。

The problem appears when ESAPI canonicalizes the data before validation. &pid=123 in the URL turns into πd=123 for example. Since π is not whitelisted, the validation fails.

我尝试对它进行编码，但是ESAPI比这更聪明，并且进行规范化以避免双重编码和混合编码。我在这里有点难过，不知道如何进行。

I've tried encoding it, but ESAPI is smarter than that and does canonicalization to avoid double encoding and mixed encoding. I'm a bit stumped here and I'm not sure how to proceed.

推荐答案

此问题是已知错误。我开始着手解决此问题，但由于我不知道何时发布补丁，因此我只能在OP的注释中将您引荐给 a 解决方法，在这里我链接了类似的答案，使用 java.net.URI 和 javax.ws.rs.core.UriBuilder 来解析/分解URL，规范化片段，然后重建URL。我将在此处重新发布链接。我提出的示例是在OP切换主题中期问题之后的问题的下半部分。

This problem is a known bug in ESAPI. I started working on resolving it, but since I don't know when a patch will get committed, I can only refer you to a workaround in my comments to the OP here where I linked a similar answer, using java.net.URI and javax.ws.rs.core.UriBuilder to parse/break down the URL, canonicalize the pieces, and then reconstruct the URL. I'll repost the link here. The example I put forth is on the second half of the question after the OP switched topics mid-question.

这篇关于ESAPI规范化格式错误的网址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！