[Esapi-user] [Esapi-dev] URL Validation and Encoding

Jeff Williams jeff.williams at aspectsecurity.com
Wed Sep 22 22:02:19 EDT 2010


Yes we should whitelist allowed protocols, etc...

--Jeff



On Sep 22, 2010, at 6:49 PM, "augustd" <augustd at codemagi.com> wrote:

> This should be easy enough to do with built-in methods of java.net.URL like getProtocol(), getHost(), getPath(), etc. 
> 
> -August
> 
> 
> On Wed, Sep 22, 2010 at 2:27 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Folks,
> 
>  
> 
> The current encoder().encodeForURL(String data) is really meant for URL Parameter encoding (as part of XSS prevention). If you URL encode an entire URL it will break the link you are trying to render.
> 
>  
> 
> I have an idea for URL encoding that would support output encoding a complete untrusted URL if it was valid. This may be overkill, but I do not trust regular expressions for URL validation. There are so many edge cases that I think we should support….
> 
>  
> 
> First we need a good ESAPI URL validation function for input. I suggestion this over a RegEx:
> 
>  
> 
> Validate URL pseudo-code:
> 
>  
> 
> String userURLString = request.getParameter(“userURL”);
> 
> try {
> 
>    
> 
> 1)      assert that userURLString starts with http or https (or other configurable schemes) in a case sensitive way
> 
> 2)      URL url = new URL(userURLString);
> 
> } catch (MalformedURLException e) {
>     // the URL is not in a valid form
> }
> 
>  
> 
> Next we need a complete URL encoder. If the URL is not valid, return an exception (Ed!) or a blank string?
> 
>  
> 
> Encode URL pseudo-code:
> 
>  
> 
> String userURLString = request.getParameter(“userURL”);
> 
> URL url = null;
> 
> try {
> 
>    
> 
> 1)      assert that userURLString starts with http or https in a case sensitive way
> 
> 2)      url = new URL(userURLString);
> 
>  
> 
> } catch (MalformedURLException e) {
>     // the URL is not in a valid form
> }
> 
> 3)      If URL is valid <scheme>://<path>
> 
> a.       rip out the scheme
> 
> b.      rip out the path
> 
> c.       rip out the URL parameters
> 
> d.      re-assemble the url
> 
> e.      Use ESAPI to URL encode all get parameters during url assembly
> 
>  
> 
> Thoughts?
> 
> - Jim
> 
> 
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
> 
> 
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100922/e4e86e0f/attachment.html 


More information about the Esapi-user mailing list