Comments (7)
kwwall
commented on July 3, 2024
@bardware - I don't think this is a bug. I think you are using it incorrectly. You really should NOT be calling Encoder.canonicalize() here. It's important to call canonicalize before you doing validation, but not when you are doing output encoding.
If I pass the input of "fit&gesund" to Encoder.canonicalize(), it will return the string "fit≥sund", which is where your "≥" arises from. Calling Encoder.encodeForJavaScript() on that then returns "fit\u2265sund". However, if you call Encoder.encodeForJavaScript() directly on the string "fit&gesund", it will return the string "fit\x26gesund", which makes sense as '&' is 0x26 in ASCII and UTF-8.
If you agree, then please close this ticket. If you disagree, then please explain your rationale for first calling Encoder.canonicalize before doing output encoding.
from esapi-java-legacy.
xeno6696
commented on July 3, 2024
Kevin did most of the heavy lifting.
Probably part of the problem is that you GOT the value using Validator.getValidInput() which IIRC runs a canonicalization on it.
I've long felt that the semantics of that part of the API were terrible. Because it encourages storage of the canonicalized input.
Proper practice would be to canonicalize, validate, and then discard the validated version and store the original input (because canonicalization is destructive.)
I think we should update the documentation of the getValid methods to make the intention more clear.
After 14yrs this feels like a "code smell" like "getValidSafeHTML()"
At any rate, I don't think this is a bug because browsers will render HTML entities without the semicolon (last tested about three months back) and the safe default because of that would be to reduce them whenever discovered. Browser Vendors are the ones forcing that.
If you think THAT is an ESAPI issue, ESAPI is BSD licensed and you can write your own HTMLEntityCodec that strictly only detects with the semicolons. However if that causes security issues for you, that's on you as you're deviating from a safe default.
from esapi-java-legacy.
kwwall
commented on July 3, 2024
What Matt didn't say was the the ESAPI output encoders were *intentionally*
written to provide a "safe harbor" to users who used a popular set of badly
broken and vulnerable browsers from a certain company whose first goal was
definitely not security and who played fast and loose with the W3C specs.
Things aren't quite as bad as they once were in the regard, but ESAPI has
still retained that behavior over the years. If you want something that has
no safe harbor to protect your users from misbehaving browsers, either
write your own HtmlEntityCodec like Matt suggested or switch over to the
OWASP Java Encoder Project.
… Message ID: ***@***.***>
from esapi-java-legacy.
planetlevel
commented on July 3, 2024
Exactly. The spec doesn’t matter. The implementation(s) matter. When we redesign the Internet, let’s not have 20 different encoding / escaping schemes in nested contexts.Thanks,—Jeff410-707-1487On Aug 4, 2023, at 8:41 PM, Kevin W. Wall ***@***.***> wrote:
What Matt didn't say was the the ESAPI output encoders were *intentionally*
written to provide a "safe harbor" to users who used a popular set of badly
broken and vulnerable browsers from a certain company whose first goal was
definitely not security and who played fast and loose with the W3C specs.
Things aren't quite as bad as they once were in the regard, but ESAPI has
still retained that behavior over the years. If you want something that has
no safe harbor to protect your users from misbehaving browsers, either
write your own HtmlEntityCodec like Matt suggested or switch over to the
OWASP Java Encoder Project.
Message ID: ***@***.***>
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
from esapi-java-legacy.
bardware
commented on July 3, 2024
Thank you for your replies.
I got the original behaviour when I used ColdFusion
The EncodeForHTML function takes two arguments. The string and a value that says if canonicalization happens before encoding.
I guess this is supposed to ensure entities are not encoded multiple times. That's how I expect it to work.
from esapi-java-legacy.
kwwall
commented on July 3, 2024
I guess it would be okay to do a canonicalization check before encoding I guess and if you see that the canonicalized string and the original input different, just reject it outright (as an attempted attack, say), but at least for the ESAPI for Java output encoders, feeding the canonicalized output into the encoders as input is going to cause problems like I originally noted. And output encoding is safe (as long as you select the encoder for the appropriate context), even if the string is not in canonical form. Maybe ColdFusion did something differently.
As far as I know, that's how the ESAPI for Java output encoders have always worked, at least going back as far as version 2.0, which is when I first got involved. You can look at 'git blame' on DefaultEncoder.java if you want, but the only recent change was an addition to support encodeForJSON and a bit before that, @xeno6696 added changes that (I think) had to do with encodeForURL (or perhaps that was only addressing the Validator; it's been a while). I think it was related to GitHub Issue #300 though. Matt can expound or correct me if I'm wrong or forgetting something. Other than that, I think there's just been a few bug fixes, but nothing else major.
from esapi-java-legacy.
kwwall
commented on July 3, 2024
@bardware wrote:
I got the original behaviour when I used ColdFusion
The EncodeForHTML function takes two arguments. The string and a value that says ifcanonicalization happens before encoding.
I guess this is supposed to ensure entities are not encoded multiple times. That's how I expect it to work.
@planetlevel can correct me if I am wrong, but I believe that technically ESAPI for Cold Fusion has never been an OWASP project and it is in fact based on ESAPI for Java 1.4 or earlier. Lots of things have changed in 2.0. If you are getting this or a similar error in ESAPI for Cold Fusion, then this bug report should be filed with Adobe, not here.
I am marking this as 'wontfix' and am closing it because I believe that is the misapplication of doing the canonicalization that is causing the perceived problem, and as previously mentioned, you should not be doing that.
from esapi-java-legacy.
Related Issues (20)
- ESAPI excludes transitive dependency xalan from xom, but does not include it itself HOT 2
- Logs printed using println() are always printed and no option to disable them. HOT 2
- Insecure default signature key length HOT 3
- Change AntiSamy to eventually use SAX parser by default, but allow DOM parser to be used for backward compatibility
- Does esapi-java-legacy support jDK17 HOT 1
- Fix typo in comment in validation.properties files HOT 2
- Option to omit event type prefix in logs HOT 1
- Fix Encoder.encodeForLDAP and Encoder.encodeForDN so they are strictly conformant with Section 3 of RFC 4515 HOT 1
- decode method doesn't work proper for some strings HOT 3
- Revert Dependency Check goal from 'purge' to 'check' once NVD API stops returning 503 'Service Unavailable' errors HOT 1
- DefaultEncoder / getCanonicalizedURI returns mix encoding for HTML special characters HOT 5
- Fix Encoder.getCanonicalizedURI(URI) for the test case of a double-ampersand in the HTML Query HOT 1
- HTMLEntityCodec Mysteriously decodes &or HOT 11
- java.io.FileNotFoundException Error in Logs When ESAPI.properties and validation.properties are in resources. and the application is up ,features are not working. HOT 9
- easpi .properties and validation properties are present but still it is throwing error and the application is failing do you have any solution for this HOT 3
- Validator.isValidSafeHTML() is vulnerable as per CVE-2023-4780 HOT 1
- Validation does not work with esapi jakarta jar HOT 3
- Getting org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception. HOT 4
- ConcurrentModificationException HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from esapi-java-legacy.