aspose file tools*
The moose likes Servlets and the fly likes URLEncoder & URLDecoder Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "URLEncoder & URLDecoder" Watch "URLEncoder & URLDecoder" New topic
Author

URLEncoder & URLDecoder

Ally Cavs
Ranch Hand

Joined: Aug 25, 2008
Posts: 88
Hi Guys,

My web app always hit a servlet first on the server side. So I'm guessing this being the first point is where I should encode/decode.

I am wondering about guidelines for
what to encode
when to encode
where to encode
& best practices in general

I know forms are implicitly encoded and decoded. So do i need to encode/decode these values server side?

Should I encode/decode any parameters taken in from the URL?

Should I store encoded values in the database. I was told this is best practice?

Also I was told to decode anything first and then encode as a hacker may encode his attempted javascript injected attack. So by decoding first then encoding the data you render his attack useless?

Is there any good websites out there that give good guidelines on this?

Thanks
Ally Cavs
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60053
    
  65

Originally posted by Alan Cavanagh:
I know forms are implicitly encoded and decoded. So do i need to encode/decode these values server side?
Since you already know that the encoding is handled for you, why the question?

Should I encode/decode any parameters taken in from the URL?
No. Also handled for you.

Should I store encoded values in the database. I was told this is best practice?
You are storing URLs in the database?

Also I was told to decode anything first and then encode as a hacker may encode his attempted javascript injected attack. So by decoding first then encoding the data you render his attack useless?
I can't make head or tails of this. It sounds as if you may be confusing URL encoding with HTML encoding.

The purpose of URL encoding is to allow parameter names and values to contain characters that would otherwise be construed as control characters in the URL. This encoding has nothing to do with security.

The only time you need to be concerned with URL encoding is when you are hand-building a URL with query parameters. The names and values of the parameters must be URL encoded.
[ August 25, 2008: Message edited by: Bear Bibeault ]

[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Ally Cavs
Ranch Hand

Joined: Aug 25, 2008
Posts: 88
Thanks for your reply Bear. I undestand a bit better now sort of.

Forms are implicitly encoded/decoded. But from a security perspective do I need to check for anything sever side?

As for storing data. I wont be storing URLS. I have a review section to my web app where users post up reviews. If a hacker emebedded some javascript for an attack I want to know how to avoid this. Having said that a user could give a url as part of their review.
So would I need to encode/decode the review?
Do I store the encoded version on my database?

However I am building up URLS dynamically to other pages of my web app. Its a search app. So when a user gets back results from a search, there will be links leading to to a page for each item returned in a search. this item page is generated dynamically from content in the database.
So im guessing I would have to encode those links?

And yes I was confusing URL encoding and HTML encoding. I have just done a quick google for HTML encoding. So I will probably have to have a look at JTidy or something else. Im not sure what HTML encoding is for though?

I now know what URL encoding is for thanks to you!!!

Alan
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60053
    
  65

Originally posted by Alan Cavanagh:
Forms are implicitly encoded/decoded. But from a security perspective do I need to check for anything sever side?
Again, the URL encoding has absolutely nothing to do with security. Do not confuse encoding with encryption. If you want security, that's where SSL comes in.

As for storing data. I wont be storing URLS.
Then you don't need to worry about URL encoding. No URLs, no URL encoding.

Do I store the encoded version on my database?
No. Again, URL encoding will do nothing for you with regards to security or hacking or anything along those line.

So im guessing I would have to encode those links?
Depends how the URLs are being generated. In JavaScript? In Java? With the JSTL?

Im not sure what HTML encoding is for though?
To encode text data so that it doesn't interfere with HTML parsing. For example, putting angle brackets in your text can boof up the HTML parsing, so those characters must be encoding to display correctly.
[ August 25, 2008: Message edited by: Bear Bibeault ]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60053
    
  65

"Ally Cavs", please restore your display name to its previous value.
Ally Cavs
Ranch Hand

Joined: Aug 25, 2008
Posts: 88
Thanks bear. ok i must have the idea of encoding/decoding all wrong. thanks for your help. ill see what i need to do to make my web app safe and also ill looking into encoding/decoding urls. im returning the link via jsp through a java.lang.String This string will be compose of all XML that the javascript will parse.

As for my user name this is the user name i intended to have in the first place. sorry if it confused ya
dwlpb dwlpb
Greenhorn

Joined: Dec 04, 2008
Posts: 1
Originally posted by Bear Bibeault:
To encode text data so that it doesn't interfere with HTML parsing. For example, putting angle brackets in your text can boof up the HTML parsing, so those characters must be encoding to display correctly.

[ August 25, 2008: Message edited by: Bear Bibeault ]


Actually, HTML encoding is important from a security perspective. Allowing angle brackets in HTML output will allow cross-site scripting attacks to work. HTML encode all markup that's sent back to the user, and you don't have to worry about XSS.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60053
    
  65

"dwlpb dwlpb", please check your private messages for an important administrative matter.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: URLEncoder & URLDecoder
 
Similar Threads
Problem passing jsp:param
Better way to test Message Digested String
BadPaddingException using AES
Encoding URL path.
decode the string server side which is received from the client side