URLEncoder & URLDecoder

Hi Guys,

My web app always hit a servlet first on the server side. So I'm guessing this being the first point is where I should encode/decode.

I am wondering about guidelines for
what to encode
when to encode
where to encode
& best practices in general

I know forms are implicitly encoded and decoded. So do i need to encode/decode these values server side?

Should I encode/decode any parameters taken in from the URL?

Should I store encoded values in the database. I was told this is best practice?

Also I was told to decode anything first and then encode as a hacker may encode his attempted javascript injected attack. So by decoding first then encoding the data you render his attack useless?

Is there any good websites out there that give good guidelines on this?

Thanks
Ally Cavs

Originally posted by Alan Cavanagh:
I know forms are implicitly encoded and decoded. So do i need to encode/decode these values server side?

Since you already know that the encoding is handled for you, why the question?

Should I encode/decode any parameters taken in from the URL?

No. Also handled for you.

Should I store encoded values in the database. I was told this is best practice?

You are storing URLs in the database?

Also I was told to decode anything first and then encode as a hacker may encode his attempted javascript injected attack. So by decoding first then encoding the data you render his attack useless?

I can't make head or tails of this. It sounds as if you may be confusing URL encoding with HTML encoding.

The purpose of URL encoding is to allow parameter names and values to contain characters that would otherwise be construed as control characters in the URL. This encoding has nothing to do with security.

The only time you need to be concerned with URL encoding is when you are hand-building a URL with query parameters. The names and values of the parameters must be URL encoded.
[ August 25, 2008: Message edited by: Bear Bibeault ]

Thanks for your reply Bear. I undestand a bit better now sort of.

Forms are implicitly encoded/decoded. But from a security perspective do I need to check for anything sever side?

As for storing data. I wont be storing URLS. I have a review section to my web app where users post up reviews. If a hacker emebedded some javascript for an attack I want to know how to avoid this. Having said that a user could give a url as part of their review.
So would I need to encode/decode the review?
Do I store the encoded version on my database?

However I am building up URLS dynamically to other pages of my web app. Its a search app. So when a user gets back results from a search, there will be links leading to to a page for each item returned in a search. this item page is generated dynamically from content in the database.
So im guessing I would have to encode those links?

And yes I was confusing URL encoding and HTML encoding. I have just done a quick google for HTML encoding. So I will probably have to have a look at JTidy or something else. Im not sure what HTML encoding is for though?

I now know what URL encoding is for thanks to you!!!

Alan

Originally posted by Alan Cavanagh:
Forms are implicitly encoded/decoded. But from a security perspective do I need to check for anything sever side?

Again, the URL encoding has absolutely nothing to do with security. Do not confuse encoding with encryption. If you want security, that's where SSL comes in.

As for storing data. I wont be storing URLS.

Then you don't need to worry about URL encoding. No URLs, no URL encoding.

Do I store the encoded version on my database?

No. Again, URL encoding will do nothing for you with regards to security or hacking or anything along those line.

So im guessing I would have to encode those links?

Depends how the URLs are being generated. In JavaScript? In Java? With the JSTL?

Im not sure what HTML encoding is for though?

To encode text data so that it doesn't interfere with HTML parsing. For example, putting angle brackets in your text can boof up the HTML parsing, so those characters must be encoding to display correctly.
[ August 25, 2008: Message edited by: Bear Bibeault ]

"Ally Cavs", please restore your display name to its previous value.

Thanks bear. ok i must have the idea of encoding/decoding all wrong. thanks for your help. ill see what i need to do to make my web app safe and also ill looking into encoding/decoding urls. im returning the link via jsp through a java.lang.String This string will be compose of all XML that the javascript will parse.

As for my user name this is the user name i intended to have in the first place. sorry if it confused ya

Originally posted by Bear Bibeault:
To encode text data so that it doesn't interfere with HTML parsing. For example, putting angle brackets in your text can boof up the HTML parsing, so those characters must be encoding to display correctly.

[ August 25, 2008: Message edited by: Bear Bibeault ]

Actually, HTML encoding is important from a security perspective. Allowing angle brackets in HTML output will allow cross-site scripting attacks to work. HTML encode all markup that's sent back to the user, and you don't have to worry about XSS.

"dwlpb dwlpb", please check your private messages for an important administrative matter.