File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSP and the fly likes encode special character Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "encode special character" Watch "encode special character" New topic
Author

encode special character

giang nguyen
Ranch Hand

Joined: May 13, 2003
Posts: 42
The Web Agent in which we deploy our application will refuse URL requests that contain any of the characters or strings of characters identified in the agent configuration. By default, the Web Agent rejects URL requests that include the following character sequences: //, ./, /., /*, *., ~, \, %00-%1f,%7f-%ff, %25, %25U, %25u These default characters represent potential security exploits and will be blocked at the web server.
Cross-Site Scripting
When CSS Checking is enabled, a Web Agent will scan a full URL (including the query string) for the presence of escaped and unescaped versions of the following default character set: left and right angle brackets (< and > semicolon ( single quote ('). It will log an error and refuse access when found.
So some time, if any of our url contain those character, will be blocked.
Does any one give me an advise on how to overcome this problem? Or provide me with an encode and decode funtion (can be a prototype) that can pass this.
Thanks alot


SCJP 1.4, SCWCD
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Obviously double-escaping won't work, but have you considered an alternate encoding to pass the data? It's a bit less intuitive, but you could Base64 encode the data then decode it back in the servlet.
Therefore you'd send &path=B891F (don't try to decode this, I just made it up) rather than &path=/dave
/Dave
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: encode special character
 
Similar Threads
Why a legal identifier cannot include the character #
Apache HttpClient problem, help urgently needed!
changing oracle application server URL encoding
changing oracle application server URL encoding
process from request to response(UTF-8)