Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 338028 - [Webapp][Security] UrlUtil.HtmlEncode() should encode more characters
Summary: [Webapp][Security] UrlUtil.HtmlEncode() should encode more characters
Status: RESOLVED FIXED
Alias: None
Product: Platform
Classification: Eclipse Project
Component: User Assistance (show other bugs)
Version: 3.7   Edit
Hardware: PC Windows XP
: P3 major (vote)
Target Milestone: 3.7 M6   Edit
Assignee: Chris Goldthorpe CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-23 17:02 EST by Chris Goldthorpe CLA
Modified: 2011-03-08 12:56 EST (History)
1 user (show)

See Also:

Attachments
Patch (2.27 KB, patch)
2011-02-23 17:21 EST, Chris Goldthorpe CLA 		no flags Details | Diff
Patch for 3.4 maintenance stream (2.27 KB, patch)
2011-02-25 18:17 EST, Chris Goldthorpe CLA 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Goldthorpe CLA 2011-02-23 17:02:42 EST 
I20110222-0800

Currently UrlUtil.HtmlEncode() only encodes "&", ">", "<", "\"" and "'"

It should be encoding most non alphanumeric characters since XSS exploits always rely on non alpha characters and the current set may not be sufficient to prevent all variations of XSS attacks.
Comment 1 Chris Goldthorpe CLA 2011-02-23 17:21:28 EST 
Created attachment 189655 [details]
Patch
Comment 2 Chris Goldthorpe CLA 2011-02-23 17:46:47 EST 
Patch committed to HEAD, Fixed
Comment 3 Chris Goldthorpe CLA 2011-02-25 13:36:15 EST 
Patch applied to 3.5 maintenance stream
Comment 4 Chris Goldthorpe CLA 2011-02-25 13:55:57 EST 
Removing the security flag since this bug does not reveal any mode of exploit.
Comment 5 Chris Goldthorpe CLA 2011-02-25 18:17:39 EST 
Created attachment 189868 [details]
Patch for 3.4 maintenance stream

I have applied this patch to the 3.4 maintenance stream
Comment 6 Chris Goldthorpe CLA 2011-03-08 12:56:19 EST 
I had applied this patch to the 3.4 and 3.5 maintenance streams because of vulnerabilities detected by the Appscan tool. These turned out to be false positives. I still think it is a good idea to encode more characters but since this change does not address a known threat I have backed the change out of the 3.4 and 3.5 maintenance streams. HEAD will continue to contain the fix.