[Esapi-user] canonicalizing troubles

Greene, Geoffrey N geoffrey.n.greene at boeing.com
Thu Jan 14 22:25:48 UTC 2016


I have been having some difficulty canonicalizing:

Consider this string:
"a.go?OLD=b&NEW=c"

When ESAPI canonicalizes this string, it incorrectly sees &NE and thinks this is encoded, so it translates this as
a.go?OLD=b≠W=c - that’s the not equals symbol - it doesn’t seem to realize that it should be looking for the additional semicolon, and so it treats &NEW as <not-equals>W


There are be other examples of this, but &NEW seems like a common parameter name to have

Here’s an example of a test:

    @Test
    public void esapiTest()
    {
         String input2 = "a.go?OLD=b&NEW=c";

        String canon =  ESAPI.encoder().canonicalize(input2);
        assertEquals(input2, canon);
    }

As a result, all my calls to request.getQueryString() fail when my parameter names start with certain characters because it doesn’t canonicalize properly.

Any thoughts?

Thanks
-geoff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20160114/3d9c7aa6/attachment.html>


More information about the Esapi-user mailing list