Page History

...

This noncompliant code example takes a user input query string and build a URL. Because the URL is not properly encoded, the URL returned is may not be valid because if it contains non-URL-safe characters characters, as per RFC 1738.

String buildUrl(String q) {
  //user inputs the argument "#YOLO2018"
  String url = "https://example.com?query=" + q;
 
  return url;
}

For example, if the user supplies the input string "<#catgifs>", the The url returned is is "https://example.com?query=#YOLO2018<#catgifs>" which is not a valid URL.

Compliant Solution (Java 8)

Use java.util.Base64 to encode and decode data when transferring binary data over mediums that only allow printable characters like URLs, filenames, and MIME.

String buildEncodedUrl(String q) {
    String origUrlencodedUrl = "https://example.com?query=" + q;
    String encodedUrl = Base64.getUrlEncoder().encodeToString(origUrlq.getBytes());
 
    return encodedUrl;
}

If the user supplies the input string "<#catgifs>", the url The encodedUrl returned is "https%3A%2F%2Fexample.com%3Fquery%3D%23YOLO2018https://example.com?query=%3C%23catgifs%3E" which is a valid URL. Use java.util.Base64 to encode and decode when transferring binary data over mediums that only allow printable characters like URLs, filenames, and MIME.

Applicability

Failure to encode or escape output before it is displayed or passed across a trust boundary can result in the execution of arbitrary code.

...

Related Vulnerabilities

The Apache GERONIMO-1474 vulnerability, reported in January 2006, allowed attackers to submit URLs containing JavaScript. The Web Access Log Viewer failed to sanitize the data it forwarded to the administrator console, thereby enabling a classic XSS attack.

...