https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223 --- Comment #23 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #22)
We could also check URLs for characters outside the "unreserved character" list, and percent-encode if we find any (by percent encoding components rather than using the "url" filter). You could get false positives but that's better than a false negative.
That should prevent XSS and allow through properly encoded URLs (e.g. "https://idp.com?redirect_url=https%3A%2F%2Fsomewhere_else.com").
Except that I'm wrong. It wouldn't allow through properly encoded URLs because % is not an "unreserved character". But as I said in https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223#c8 that's why URI "find all funny characters and encode the bytes" when the characters are not reserved, not unreserved, and not a % sign: https://metacpan.org/source/OALDERS/URI-1.76/lib/URI.pm#L80 -- You are receiving this mail because: You are watching all bug changes.