[
https://issues.apache.org/jira/browse/HADOOP-7527?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13081691#comment-13081691
]
Owen O'Malley commented on HADOOP-7527:
---------------------------------------
{quote}
Anyone who has done substantial web development would disagree with you that
this is the correct way.
{quote}
*Laugh* It was the Yahoo paranoids, who have done *thousands* of properties who
strongly suggested it as by far the most reliable way of avoiding problems. XSS
problems are endemic and very hard to catch without tools. Mechanisms that
cause the dev's code to fail in a safe way are far preferable to ones that fail
with a XSS that lays unfixed for years.
> Make URL encoding consistent
> ----------------------------
>
> Key: HADOOP-7527
> URL: https://issues.apache.org/jira/browse/HADOOP-7527
> Project: Hadoop Common
> Issue Type: Improvement
> Affects Versions: 0.23.0
> Reporter: Eli Collins
>
> URL encoding is currently handled in at least 5 different ways. We should
> make these consistent:
> # Parameters are encoded when a URI object is created
> # HttpServlet uses RequestQuoter to html escape parameter names and values
> # StringEscapeUtils is used to escape parameters in ReconfigurationServlet
> and DatanodeJspHelper
> # URLEncoder and URLDecoder are used in multiple places
> # encodePath from Jetty's URIUtil
> We should also be consistent about how we pass file names in URLs, some times
> they're passed in the path segment, sometimes they're passed in the query
> fragment as parameters.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
