For url if I want to create CSRF token it will give me 500 internal server error
https://abc/conf.tmpl?Email=ychandra-d%40dd.com&training=234
but if use @ instead of %40, csrf token will generate
https://abc/[email protected]&training=234
Can someone help me with this why changing in url pattern creates error? DO I need to added any other dependencies for special character?
Done some Implementation and add some file regarding csrf –
File added –
csrfguard.js
csrfguard.properties
Done some implementation-
In web.xml add csrfGuardServlet, Owasp.CsrfGuard.Config, Owasp.CsrfGuard.Config.Print, csrfGuardFilter(its filter-mapping), CsrfGuardServletContextListener,CsrfGuardHttpSessionListener
In apply.tmpl file added
<script src="https://weblibrary.cdn.getgo.com/web-library-2/scripts/web-library.js"></script>
<script type="text/javascript" src="/public/csrfguard"></script>
as in web.xml file
<servlet-mapping>
<servlet-name>csrfGuardServlet</servlet-name>
<url-pattern>/public/csrfguard</url-pattern>
</servlet-mapping>
2
Answers
Ensure that the email parameter is URL-encoded properly. %40 is the URL-encoded representation of the ‘@’ symbol. When constructing the URL, use proper URL encoding to represent special characters.
The URL query component is encoded. You are not fully decoding it. %40 is the encoded form of @. Technically, @ is not required to be encoded in the query component, but your server is doing so.
After you split the query data on & and =, you need to decode the resulting substrings by replacing the %XX hex sequences with the corresponding bytes, and then converting the resulting bytes to string characters based on whatever charset your server uses (usually utf-8, but not always).