Closed
Bug 474394
Opened 16 years ago
Closed 16 years ago
Encode more characters in url_encode()
Categories
(Webtools Graveyard :: Tinderbox, defect)
Webtools Graveyard
Tinderbox
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: reed, Assigned: reed)
References
()
Details
Attachments
(1 file)
1.07 KB,
patch
|
cls
:
review+
|
Details | Diff | Splinter Review |
In tbglobals.pl's url_encode(), we should encode more characters to help prevent XSS. Bonsai might need this same patch.
Attachment #357769 -
Flags: review?(timeless)
Attachment #357769 -
Flags: review?(bear)
Assignee | ||
Comment 2•16 years ago
|
||
Comment on attachment 357769 [details] [diff] [review] patch - v1 cls, I'll take your review, too... didn't know you were around. :)
Attachment #357769 -
Flags: review?(cls)
Assignee | ||
Comment 4•16 years ago
|
||
(In reply to comment #3) > wouldn't it make more sense to just use a simple regexp pattern? What do you mean?
I'm sure that he means that It Would Be Nice(tm) if we could use a regexp or pattern like the one being used for url_decode() instead of adding a lot of individual exceptions. I looked for one but couldn't find it. http://mxr.mozilla.org/mozilla/source/webtools/tinderbox/tbglobals.pl#390
Assignee | ||
Comment 6•16 years ago
|
||
RFC 3986 gives a specific list of what should and shouldn't be encoded, so we can't just use a regex to encode everything, just like url_decode() is able just to decode anything encoded. This has to be an actual list of characters to be encoded, sadly.
Attachment #357769 -
Flags: review?(timeless)
Attachment #357769 -
Flags: review?(cls)
Attachment #357769 -
Flags: review?(bear)
Attachment #357769 -
Flags: review+
Assignee | ||
Comment 7•16 years ago
|
||
Thanks for the review. Checking in tbglobals.pl; /cvsroot/mozilla/webtools/tinderbox/tbglobals.pl,v <-- tbglobals.pl new revision: 1.70; previous revision: 1.69 done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Turns out that bonsai had the regexp I was looking for. http://mxr.mozilla.org/mozilla/source/webtools/bonsai/CGI.pl#42
Updated•10 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•