ESAPI.encoder().canonicalize() converts "&or" or similar strings without having trailing semicolon as logical operator
tusharkumawat opened this issue · 4 comments
Describe the bug
ESAPI.encoder().canonicalize() converts "&or" or similar strings without having trailing semicolon as logical operator. Similar issue is coming with "&sub".
Example string "encoding=UTF8&origin=xyz&subject=CS" is getting canonicalized into "encoding=UTF8∨igin=xyz⊂ject=CS".
Specify what ESAPI version(s) you are experiencing this bug in
org.owasp.esapi:esapi:2.5.1.0
To Reproduce
ESAPI.encoder().canonicalize("encoding=UTF8&origin=xyz&subject=CS") returns "encoding=UTF8∨igin=xyz⊂ject=CS".
Expected behavior
ESAPI.encoder().canonicalize("encoding=UTF8&origin=xyz&subject=CS") should return "encoding=UTF8&origin=xyz&subject=CS".
ESAPI.encoder().canonicalize("encoding=UTF8∨igin=xyz⊂ject=CS") should return "encoding=UTF8∨igin=xyz⊂ject=CS".
Platform environment (please complete the following information)
- OS: iOS
- JDK version: 21.0.2
This is working as designed. Modern browsers all render HTML entities without the semicolon, and we have to adhere to that least common denominator.
What this suggests to me is that you're validating a URL, if you're trying to canonicalize a URL, use the appropriate method, Encoder.getCanonicalizedURI(URI)
Sorry, meant to close this as won't fix.
Attempting to enforce the semicolon will open your application up to XSS attacks at minimum, possibly worse.
Actually, I would have closed this as a duplicate of #827, which was closed for the same reason. You can find a more detailed explanation for our decision to mark this as 'wontfix" there. In reality, it's not a bug, it's a feature. If anything, the bug is that we need better Javadoc to call this out because this is not the first time this has come up.