Matt Seil
Matt Seil
I agree with after, though we should use the term "antipatterns" as that will make more devs snap to attention. "pitfalls" implies something small. Antipattern implies wrong from conception.
I'll review this week.
Been awhile since I read through it, "antipatterns" are used throughout. (For some reason I thought you implied a rewrite.) Yeah, after. Show them how to do it right, and...
@jmanico don't sleep on this one. Long-term this means that the encoder project simply won't be used because the choice will be "go with new j2ee or use OWASP encoder?"...
This issue always turns out to be a local environmental issue. research what causes NoClassDefFound and solve your class path problem.
This is an issue with Netty. You need to ask them. They’re using ESAPI and whatever you’re doing is conflicting with their usage.
If you can construct a dummy application that reproduces this, I can help troubleshoot but otherwise I’d have to be present in your cube.
> Hi, > sorry for the response delay, > > We effectively have both parameters set to false: > > Encoder.AllowMultipleEncoding=false > Encoder.AllowMixedEncoding=false > > The URL we are using...
Quick notes: Unwrapped URL as-is: ``` /webapp/ux/home? d=1705914006565 &status=login &ticket=1705914090394_HzJpTROVfhW-JhRW0OqDbHu7tWXXlgrKSUmOzIMsZNCcUIiYGMXX_Q%3D%3D &newsess=false &roleid=DP010101/0007 &origin=ourprogram ``` Percent-decoded: ``` /webapp/ux/home? d=1705914006565 &status=login &ticket=1705914090394_HzJpTROVfhW-JhRW0OqDbHu7tWXXlgrKSUmOzIMsZNCcUIiYGMXX_Q== &newsess=false &roleid=DP010101/0007 &origin=ourprogram ``` Both versions, unwrapped looking for HTML...
Found it. As discussed in #823 the first call to canonicalize the entire query string is run into the canonicalize method on line 541 and generates the false positive. Further...