[Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Jul 30 08:38:03 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #23 from David Cook <dcook at prosentient.com.au> ---
(In reply to David Cook from comment #22)
> We could also check URLs for characters outside the "unreserved character"
> list, and percent-encode if we find any (by percent encoding components
> rather than using the "url" filter). You could get false positives but
> that's better than a false negative.
>
> That should prevent XSS and allow through properly encoded URLs (e.g.
> "https://idp.com?redirect_url=https%3A%2F%2Fsomewhere_else.com").
Except that I'm wrong. It wouldn't allow through properly encoded URLs because
% is not an "unreserved character".
But as I said in
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223#c8 that's why
URI "find all funny characters and encode the bytes" when the characters are
not reserved, not unreserved, and not a % sign:
https://metacpan.org/source/OALDERS/URI-1.76/lib/URI.pm#L80
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list