hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Owen O'Malley (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-7527) Make URL encoding consistent
Date Tue, 09 Aug 2011 15:12:27 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-7527?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13081691#comment-13081691
] 

Owen O'Malley commented on HADOOP-7527:
---------------------------------------

{quote}
Anyone who has done substantial web development would disagree with you that this is the correct
way.
{quote}

*Laugh* It was the Yahoo paranoids, who have done *thousands* of properties who strongly suggested
it as by far the most reliable way of avoiding problems. XSS problems are endemic and very
hard to catch without tools. Mechanisms that cause the dev's code to fail in a safe way are
far preferable to ones that fail with a XSS that lays unfixed for years.

> Make URL encoding consistent
> ----------------------------
>
>                 Key: HADOOP-7527
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7527
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 0.23.0
>            Reporter: Eli Collins
>
> URL encoding is currently handled in at least 5 different ways. We should make these
consistent:
> # Parameters are encoded when a URI object is created
> # HttpServlet uses RequestQuoter to html escape parameter names and values
> # StringEscapeUtils is used to escape parameters in ReconfigurationServlet and DatanodeJspHelper
> # URLEncoder and URLDecoder are used in multiple places 
> # encodePath from Jetty's URIUtil
> We should also be consistent about how we pass file names in URLs, some times they're
passed in the path segment, sometimes they're passed in the query fragment as parameters.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message