• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

encoding url paramaters

 
Bartender
Posts: 1111
Eclipse IDE Oracle VI Editor
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
our system uses user entered codes as the item's ID.
Years ago it was decided to be ultra friendly and allow all sorts of punctuation to be valid in these codes.

so both & and ; are valid in the string.

We have been solving this by encoding the parameter, and then encoding the whole URL, so double encoding.

Well we have now tried using IIS and it is complaining about double encoding, I have since discovered the double encoding attack, and am concerned.

All of our internal SQL is written using prepared statements. But we want to save the setup burden on our customers.

Presuming we do want to change how should we encode the strings to make them safe in URLs?
Or is IIS being overly cautious and we should save ourselves the effort.
 
Bartender
Posts: 15737
368
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I would try to avoid the whole double encoding business altogether. I imagine that whatever view technology you're using has a way to build URLs, much in the same way that you can build SQL query's using prepared statements. Prepared URLs, if you will.

What frameworks are you guys using?
 
Wendy L Gibbons
Bartender
Posts: 1111
Eclipse IDE Oracle VI Editor
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
we are using ExtJs, if i remember correctly the jaxrs helpfully decodes the url, then chunks the parameters out

so http://www.blah;id=wendy;bleugh;nextthing=boo

throws errors about the parameter bleugh and formatting or some such thing, we implemented this solution a couple of years ago so can't remember the exact error.

Thanks

 
Stephan van Hulst
Bartender
Posts: 15737
368
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm really surprised that I can't find a convenient URI builder in either plain JavaScript or ExtJS. This seems like it would be a common issue. Regardless, implementing one yourself wouldn't be very difficult.

You could write a function that takes an URI without query string, and an associative array mapping query parameter names to values.

Use encodeURI() on the URI, and use Ext.urlEncode() on the associative array. You can then just paste the two results together with a "?" and you're done.
 
Wendy L Gibbons
Bartender
Posts: 1111
Eclipse IDE Oracle VI Editor
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have been playing with this this morning, and your right it isn't overly complicated.
I was hoping somebody was going to say don't bother IIS is being silly, but actually the code impact isn't too big yet
 
He got surgery to replace his foot with a pig. He said it was because of this tiny ad:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic