Encode more characters in url_encode()

RESOLVED FIXED

Status

Webtools Graveyard
Tinderbox
--
major
RESOLVED FIXED
9 years ago
4 years ago

People

(Reporter: reed, Assigned: reed)

Tracking

Details

(URL)

Attachments

(1 attachment)

(Assignee)

Description

9 years ago
Created attachment 357769 [details] [diff] [review]
patch - v1

In tbglobals.pl's url_encode(), we should encode more characters to help prevent XSS. Bonsai might need this same patch.
Attachment #357769 - Flags: review?(timeless)
Attachment #357769 - Flags: review?(bear)

Updated

9 years ago
Duplicate of this bug: 369922
(Assignee)

Comment 2

9 years ago
Comment on attachment 357769 [details] [diff] [review]
patch - v1

cls, I'll take your review, too... didn't know you were around. :)
Attachment #357769 - Flags: review?(cls)

Comment 3

9 years ago
wouldn't it make more sense to just use a simple regexp pattern?
(Assignee)

Comment 4

9 years ago
(In reply to comment #3)
> wouldn't it make more sense to just use a simple regexp pattern?

What do you mean?

Comment 5

9 years ago
I'm sure that he means that It Would Be Nice(tm) if we could use a regexp or pattern like the one being used for url_decode() instead of adding a lot of individual exceptions.  I looked for one but couldn't find it.

http://mxr.mozilla.org/mozilla/source/webtools/tinderbox/tbglobals.pl#390
(Assignee)

Comment 6

9 years ago
RFC 3986 gives a specific list of what should and shouldn't be encoded, so we can't just use a regex to encode everything, just like url_decode() is able just to decode anything encoded. This has to be an actual list of characters to be encoded, sadly.

Updated

9 years ago
Attachment #357769 - Flags: review?(timeless)
Attachment #357769 - Flags: review?(cls)
Attachment #357769 - Flags: review?(bear)
Attachment #357769 - Flags: review+
(Assignee)

Comment 7

9 years ago
Thanks for the review.

Checking in tbglobals.pl;
/cvsroot/mozilla/webtools/tinderbox/tbglobals.pl,v  <--  tbglobals.pl
new revision: 1.70; previous revision: 1.69
done
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 8

9 years ago
Turns out that bonsai had the regexp I was looking for.

http://mxr.mozilla.org/mozilla/source/webtools/bonsai/CGI.pl#42

Comment 9

9 years ago
patch v1 checked into tbox1_20080527_cls_branch
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.