• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Liutauras Vilda
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Scott Selikoff
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
  • Frits Walraven
Bartenders:
  • Stephan van Hulst
  • Carey Brown

URLEncoder & URLDecoder

 
Ranch Hand
Posts: 95
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Guys,

My web app always hit a servlet first on the server side. So I'm guessing this being the first point is where I should encode/decode.

I am wondering about guidelines for
what to encode
when to encode
where to encode
& best practices in general

I know forms are implicitly encoded and decoded. So do i need to encode/decode these values server side?

Should I encode/decode any parameters taken in from the URL?

Should I store encoded values in the database. I was told this is best practice?

Also I was told to decode anything first and then encode as a hacker may encode his attempted javascript injected attack. So by decoding first then encoding the data you render his attack useless?

Is there any good websites out there that give good guidelines on this?

Thanks
Ally Cavs
 
Sheriff
Posts: 67752
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Alan Cavanagh:
I know forms are implicitly encoded and decoded. So do i need to encode/decode these values server side?

Since you already know that the encoding is handled for you, why the question?

Should I encode/decode any parameters taken in from the URL?

No. Also handled for you.

Should I store encoded values in the database. I was told this is best practice?

You are storing URLs in the database?

Also I was told to decode anything first and then encode as a hacker may encode his attempted javascript injected attack. So by decoding first then encoding the data you render his attack useless?

I can't make head or tails of this. It sounds as if you may be confusing URL encoding with HTML encoding.

The purpose of URL encoding is to allow parameter names and values to contain characters that would otherwise be construed as control characters in the URL. This encoding has nothing to do with security.

The only time you need to be concerned with URL encoding is when you are hand-building a URL with query parameters. The names and values of the parameters must be URL encoded.
[ August 25, 2008: Message edited by: Bear Bibeault ]
 
Ally Cavs
Ranch Hand
Posts: 95
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for your reply Bear. I undestand a bit better now sort of.

Forms are implicitly encoded/decoded. But from a security perspective do I need to check for anything sever side?

As for storing data. I wont be storing URLS. I have a review section to my web app where users post up reviews. If a hacker emebedded some javascript for an attack I want to know how to avoid this. Having said that a user could give a url as part of their review.
So would I need to encode/decode the review?
Do I store the encoded version on my database?

However I am building up URLS dynamically to other pages of my web app. Its a search app. So when a user gets back results from a search, there will be links leading to to a page for each item returned in a search. this item page is generated dynamically from content in the database.
So im guessing I would have to encode those links?

And yes I was confusing URL encoding and HTML encoding. I have just done a quick google for HTML encoding. So I will probably have to have a look at JTidy or something else. Im not sure what HTML encoding is for though?

I now know what URL encoding is for thanks to you!!!

Alan
 
Bear Bibeault
Sheriff
Posts: 67752
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Alan Cavanagh:
Forms are implicitly encoded/decoded. But from a security perspective do I need to check for anything sever side?

Again, the URL encoding has absolutely nothing to do with security. Do not confuse encoding with encryption. If you want security, that's where SSL comes in.

As for storing data. I wont be storing URLS.

Then you don't need to worry about URL encoding. No URLs, no URL encoding.

Do I store the encoded version on my database?

No. Again, URL encoding will do nothing for you with regards to security or hacking or anything along those line.

So im guessing I would have to encode those links?

Depends how the URLs are being generated. In JavaScript? In Java? With the JSTL?

Im not sure what HTML encoding is for though?

To encode text data so that it doesn't interfere with HTML parsing. For example, putting angle brackets in your text can boof up the HTML parsing, so those characters must be encoding to display correctly.
[ August 25, 2008: Message edited by: Bear Bibeault ]
 
Bear Bibeault
Sheriff
Posts: 67752
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
"Ally Cavs", please restore your display name to its previous value.
 
Ally Cavs
Ranch Hand
Posts: 95
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks bear. ok i must have the idea of encoding/decoding all wrong. thanks for your help. ill see what i need to do to make my web app safe and also ill looking into encoding/decoding urls. im returning the link via jsp through a java.lang.String This string will be compose of all XML that the javascript will parse.

As for my user name this is the user name i intended to have in the first place. sorry if it confused ya
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Bear Bibeault:
To encode text data so that it doesn't interfere with HTML parsing. For example, putting angle brackets in your text can boof up the HTML parsing, so those characters must be encoding to display correctly.

[ August 25, 2008: Message edited by: Bear Bibeault ]



Actually, HTML encoding is important from a security perspective. Allowing angle brackets in HTML output will allow cross-site scripting attacks to work. HTML encode all markup that's sent back to the user, and you don't have to worry about XSS.
 
Bear Bibeault
Sheriff
Posts: 67752
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
"dwlpb dwlpb", please check your private messages for an important administrative matter.
 
I think she's lovely. It's this tiny ad that called her crazy:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic