[langsec-discuss] URL parsing

Michael E. Locasto locasto at ucalgary.ca
Sat Dec 7 21:04:49 UTC 2013

I have found lcamtuf's Browser Security Handbook to be a particularly
enlightening resource on this topic for my students:


On 12/7/13 12:36 PM, Will Sargent wrote:
> While we're on the topic of "X being broken" -- apparently URL parsing has
> to be done in stages, and each segment of a URL has different parsing
> rules.  And java.net.URLEncoder is only useful for HTTP form encoding, not
> actual URLs.
> http://blog.palominolabs.com/2013/10/03/creating-urls-correctly-and-safely/
> Which means everyone using Java, over the last 20 years or so, has been
> parsing URLs the wrong way.  I'm not sure there's enough face palm.
> Will.
> _______________________________________________
> langsec-discuss mailing list
> langsec-discuss at mail.langsec.org
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss

More information about the langsec-discuss mailing list