[Esapi-user] URL Validation and Encoding

Jim Manico jim.manico at owasp.org
Wed Sep 22 17:27:16 EDT 2010


Folks,

 

The current encoder().encodeForURL(String data) is really meant for URL
Parameter encoding (as part of XSS prevention). If you URL encode an entire
URL it will break the link you are trying to render.

 

I have an idea for URL encoding that would support output encoding a
complete untrusted URL if it was valid. This may be overkill, but I do not
trust regular expressions for URL validation. There are so many edge cases
that I think we should support..

 

First we need a good ESAPI URL validation function for input. I suggestion
this over a RegEx:

 

Validate URL pseudo-code:

 

String userURLString = request.getParameter("userURL");

try {

    

1)      assert that userURLString starts with http or https (or other
configurable schemes) in a case sensitive way

2)      URL url = new URL(userURLString);

} catch (MalformedURLException e) {
    // the URL is not in a valid form
} 

 

Next we need a complete URL encoder. If the URL is not valid, return an
exception (Ed!) or a blank string?

 

Encode URL pseudo-code: 

 

String userURLString = request.getParameter("userURL");

URL url = null;

try {

    

1)      assert that userURLString starts with http or https in a case
sensitive way

2)      url = new URL(userURLString);

 

} catch (MalformedURLException e) {
    // the URL is not in a valid form
} 

3)      If URL is valid <scheme>://<path>

a.       rip out the scheme

b.      rip out the path

c.       rip out the URL parameters

d.      re-assemble the url

e.      Use ESAPI to URL encode all get parameters during url assembly

 

Thoughts?

- Jim

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100922/5bbda652/attachment.html 


More information about the Esapi-user mailing list