[Esapi-user] [Esapi-dev] URL Validation and Encoding

augustd augustd at codemagi.com
Wed Sep 22 19:47:04 EDT 2010


This should be easy enough to do with built-in methods of java.net.URL like
getProtocol(), getHost(), getPath(), etc.

-August


On Wed, Sep 22, 2010 at 2:27 PM, Jim Manico <jim.manico at owasp.org> wrote:

>  Folks,
>
>
>
> The current encoder().encodeForURL(String data) is really meant for URL *
> Parameter* encoding (as part of XSS prevention). If you URL encode an
> entire URL it will break the link you are trying to render.
>
>
>
> I have an idea for URL encoding that would support output encoding a *complete
> untrusted URL* if it was valid. This may be overkill, but I do not trust
> regular expressions for URL validation. There are so many edge cases that I
> think we should support….
>
>
>
> First we need a good ESAPI URL validation function for input. I suggestion
> this over a RegEx:
>
>
>
> *Validate URL pseudo-code:*
>
>
>
> String userURLString = request.getParameter(“userURL”);
>
> try {
>
>
>
> 1)      assert that userURLString starts with http or https (or other
> configurable schemes) in a case sensitive way
>
> 2)      URL url = new URL(userURLString);
>
> } catch (MalformedURLException e) {
>     // the URL is not in a valid form
> }
>
>
>
> Next we need a complete URL encoder. If the URL is not valid, return an
> exception (Ed!) or a blank string?
>
>
>
> *Encode URL pseudo-code: *
>
>
>
> String userURLString = request.getParameter(“userURL”);
>
> URL url = null;
>
> try {
>
>
>
> 1)      assert that userURLString starts with http or https in a case
> sensitive way
>
> 2)      url = new URL(userURLString);
>
>
>
> } catch (MalformedURLException e) {
>     // the URL is not in a valid form
> }
>
> 3)      If URL is valid <scheme>://<path>
>
> a.       rip out the scheme
>
> b.      rip out the path
>
> c.       rip out the URL parameters
>
> d.      re-assemble the url
>
> e.      Use ESAPI to URL encode all get parameters during url assembly
>
>
>
> Thoughts?
>
> - Jim
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100922/5b34c1c7/attachment.html 


More information about the Esapi-user mailing list