You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It appears the URI argument for org.dom4j.Namespace is not encoded but is written as is to the XML string. This can cause malformed XML and might even allow XML injection.
This is also problematic because the Namespace URI is decoded when read from XML. So reading valid XML with a URI containing encoded characters can lead to malformed XML when the same document is written again.
The text was updated successfully, but these errors were encountered:
Is it better to url encode or xml encode those attributes? (I would think xml encoding or rejecting those values is better than messing with url escaping/normalization.
[Definition: The two URIs are treated as strings, and they are identical if and only if the strings are identical, that is, if they are the same sequence of characters. ] The comparison is case-sensitive, and no %-escaping is done or undone.
So (to my understanding) performing URL encoding could change the meaning and should therefore not be done.
Related to #48
It appears the URI argument for
org.dom4j.Namespace
is not encoded but is written as is to the XML string. This can cause malformed XML and might even allow XML injection.This is also problematic because the Namespace URI is decoded when read from XML. So reading valid XML with a URI containing encoded characters can lead to malformed XML when the same document is written again.
The text was updated successfully, but these errors were encountered: