esapi-java-legacy icon indicating copy to clipboard operation
esapi-java-legacy copied to clipboard

Published 20 hours ago verified publisher icon ESAPI

Fix Encoder.getCanonicalizedURI(URI) for the test case of a double-ampersand in the HTML Query

Open xeno6696 opened this issue 1 year ago • 0 comments

Per Issue #824

Discovered bug where %2C&html=&& should throw a MixedEncodingException but instead constructs a URL sequence of ,&html=null&=null&

Note that this does not result in an exploitable URL string, the & is never decoded. It's also debatable whether this is a false negative.

It's possible that this bug might be acceptable, it isn't clear as per RFC what the correct behavior should be in this circumstance. (double-ampersand) However, there's some possible nuance and a possible false negative implied here and it's unclear what the correct path should be.

@kwwall @jeremiahjstacey

xeno6696 avatar Jan 23 '24 00:01 xeno6696