Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

encoding url paramaters  RSS feed

 
Wendy Gibbons
Bartender
Posts: 1111
Eclipse IDE Oracle VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
our system uses user entered codes as the item's ID.
Years ago it was decided to be ultra friendly and allow all sorts of punctuation to be valid in these codes.

so both & and ; are valid in the string.

We have been solving this by encoding the parameter, and then encoding the whole URL, so double encoding.

Well we have now tried using IIS and it is complaining about double encoding, I have since discovered the double encoding attack, and am concerned.

All of our internal SQL is written using prepared statements. But we want to save the setup burden on our customers.

Presuming we do want to change how should we encode the strings to make them safe in URLs?
Or is IIS being overly cautious and we should save ourselves the effort.
 
Stephan van Hulst
Saloon Keeper
Posts: 7706
141
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would try to avoid the whole double encoding business altogether. I imagine that whatever view technology you're using has a way to build URLs, much in the same way that you can build SQL query's using prepared statements. Prepared URLs, if you will.

What frameworks are you guys using?
 
Wendy Gibbons
Bartender
Posts: 1111
Eclipse IDE Oracle VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
we are using ExtJs, if i remember correctly the jaxrs helpfully decodes the url, then chunks the parameters out

so http://www.blah;id=wendy;bleugh;nextthing=boo

throws errors about the parameter bleugh and formatting or some such thing, we implemented this solution a couple of years ago so can't remember the exact error.

Thanks

 
Stephan van Hulst
Saloon Keeper
Posts: 7706
141
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm really surprised that I can't find a convenient URI builder in either plain JavaScript or ExtJS. This seems like it would be a common issue. Regardless, implementing one yourself wouldn't be very difficult.

You could write a function that takes an URI without query string, and an associative array mapping query parameter names to values.

Use encodeURI() on the URI, and use Ext.urlEncode() on the associative array. You can then just paste the two results together with a "?" and you're done.
 
Wendy Gibbons
Bartender
Posts: 1111
Eclipse IDE Oracle VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have been playing with this this morning, and your right it isn't overly complicated.
I was hoping somebody was going to say don't bother IIS is being silly, but actually the code impact isn't too big yet
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!