[Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Feb 28 05:19:59 CET 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #8 from David Cook <dcook at prosentient.com.au> ---
Using some of the evasion strategies in
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) and Perl's
URI->new() is handling it.
Ah we can see it at https://metacpan.org/source/OALDERS/URI-1.76/lib/URI.pm#L81
I think.
Basically it encodes everything that isn't in the following:
our $reserved = q(;/?:@&=+$,[]);
our $mark = q(-_.!~*'()); #'; emacs
our $unreserved = "A-Za-z0-9\Q$mark\E";
our $uric = quotemeta($reserved) . $unreserved . "%";
Whereas http://template-toolkit.org/docs/manual/Filters.html#section_url
encodes everything that is outside the permitted URI charactesrs from RFC 2396,
except &, @, /, ;, :, =, +, ? and $.
The key thing is how the URI module doesn't encode the % sign.
(Of course reading
http://template-toolkit.org/docs/manual/Filters.html#section_uri it says ("(",
")", "~", "*", "!" and the single quote "'") now need to be escaped according
to RFC3986... and the URI module doesn't do that?
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list