Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 338028

Summary: [Webapp][Security] UrlUtil.HtmlEncode() should encode more characters
Product: [Eclipse Project] Platform Reporter: Chris Goldthorpe <cgold>
Component: User AssistanceAssignee: Chris Goldthorpe <cgold>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: P3 CC: zhhaohh
Version: 3.7   
Target Milestone: 3.7 M6   
Hardware: PC   
OS: Windows XP   
Whiteboard:
Attachments:
Description Flags
Patch
none
Patch for 3.4 maintenance stream none

Description Chris Goldthorpe CLA 2011-02-23 17:02:42 EST 
I20110222-0800

Currently UrlUtil.HtmlEncode() only encodes "&", ">", "<", "\"" and "'"

It should be encoding most non alphanumeric characters since XSS exploits always rely on non alpha characters and the current set may not be sufficient to prevent all variations of XSS attacks.
Comment 1 Chris Goldthorpe CLA 2011-02-23 17:21:28 EST 
Created attachment 189655 [details]
Patch
Comment 2 Chris Goldthorpe CLA 2011-02-23 17:46:47 EST 
Patch committed to HEAD, Fixed
Comment 3 Chris Goldthorpe CLA 2011-02-25 13:36:15 EST 
Patch applied to 3.5 maintenance stream
Comment 4 Chris Goldthorpe CLA 2011-02-25 13:55:57 EST 
Removing the security flag since this bug does not reveal any mode of exploit.
Comment 5 Chris Goldthorpe CLA 2011-02-25 18:17:39 EST 
Created attachment 189868 [details]
Patch for 3.4 maintenance stream

I have applied this patch to the 3.4 maintenance stream
Comment 6 Chris Goldthorpe CLA 2011-03-08 12:56:19 EST 
I had applied this patch to the 3.4 and 3.5 maintenance streams because of vulnerabilities detected by the Appscan tool. These turned out to be false positives. I still think it is a good idea to encode more characters but since this change does not address a known threat I have backed the change out of the 3.4 and 3.5 maintenance streams. HEAD will continue to contain the fix.