[
https://issues.apache.org/jira/browse/HADOOP-7527?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13081055#comment-13081055
]
Todd Lipcon commented on HADOOP-7527:
-------------------------------------
The QuotingInputFilter is also totally misguided - yes, it prevents you from
accidentally forgetting to encode something, but it's done the wrong layer.
Encoding is output-type dependent -- just because we usually output to HTML
doesn't mean that the parameters should be HTML-encoded "on the way in".
The correct way to do this is to make sure all interpolation of user input
escapes at interpolation time -- the encoding should then be the proper
context-dependent escaping scheme (eg URL escaping, javascript escaping, or
HTML escaping, which are all different and sometimes need to be layered)
> Make URL encoding consistent
> ----------------------------
>
> Key: HADOOP-7527
> URL: https://issues.apache.org/jira/browse/HADOOP-7527
> Project: Hadoop Common
> Issue Type: Improvement
> Affects Versions: 0.23.0
> Reporter: Eli Collins
>
> URL encoding is currently handled in at least 4 different ways. We should
> make these consistent:
> # Parameters are encoded when a URI object is created
> # HttpServlet uses RequestQuoter to html escape parameter names and values
> # StringEscapeUtils is used to escape parameters in ReconfigurationServlet
> and DatanodeJspHelper
> # URLEncoder and URLDecoder are used in multiple places
> We should also be consistent about how we pass file names in URLs, some times
> they're passed in the path segment, sometimes they're passed in the query
> fragment as parameters.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
