[
https://issues.apache.org/jira/browse/HADOOP-7527?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13081045#comment-13081045
]
Owen O'Malley commented on HADOOP-7527:
---------------------------------------
The QuotingInputFilter has a very different purpose than the others. It is
ensuring that parameters that are echoed back to the user don't create XSS
vulnerabilities. In particular, they are using HTML quoting and not URL quoting.
> Make URL encoding consistent
> ----------------------------
>
> Key: HADOOP-7527
> URL: https://issues.apache.org/jira/browse/HADOOP-7527
> Project: Hadoop Common
> Issue Type: Improvement
> Affects Versions: 0.23.0
> Reporter: Eli Collins
>
> URL encoding is currently handled in at least 4 different ways. We should
> make these consistent:
> # Parameters are encoded when a URI object is created
> # HttpServlet uses RequestQuoter to html escape parameter names and values
> # StringEscapeUtils is used to escape parameters in ReconfigurationServlet
> and DatanodeJspHelper
> # URLEncoder and URLDecoder are used in multiple places
> We should also be consistent about how we pass file names in URLs, some times
> they're passed in the path segment, sometimes they're passed in the query
> fragment as parameters.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
