This same encoding function is necessary when trying to stop some classes of XSS defense.
<a href="http://www.somesite.com/data?test=<%= URL ENCODE UNTRUSTED DATA %>">Link</a> And of course, adding a session ID to a URL is a security vulnerability known as session rewriting and is not recommended. :) Aloha, Jim > Les Hazlewood created SHIRO-360: > ----------------------------------- > > Summary: Create UrlEncoder > Key: SHIRO-360 > URL: https://issues.apache.org/jira/browse/SHIRO-360 > Project: Shiro > Issue Type: New Feature > Components: Web > Reporter: Les Hazlewood > Fix For: 1.3.0 > > > To customize how URL encoding in a web app occurs, we should have a > UrlEncoder component. More specifically, this can be used to customize how > JSESSIONID is appended to a URL (if at all, depending on security > preferences). > > The solution could be resolved as follows: > > Create a new UrlEncoder interface: > > public interface UrlEncoder { > String encodeUrl(EncodeUrlRequest request); > } > > The EncodeUrlRequest: > > public interface EncodeUrlRequest { > String getUrl(); > HttpServletRequest getHttpServletRequest(); > HttpServletResponse getHttpServletResponse(); > ServletContext getServletContext(); > } > > Update WebEnvironment to have a new property: > > UrlEncoder getUrlEncoder(); > > -- > This message is automatically generated by JIRA. > If you think it was sent incorrectly, please contact your JIRA > administrators: > https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa > For more information on JIRA, see: http://www.atlassian.com/software/jira > > -- Jim Manico Connections Committee Chair Cheatsheet Series Product Manager OWASP Podcast Producer/Host [email protected] www.owasp.org
