We're running Web Agent with and when accessing a resource withInternet Explorer, if the protected resources has a " character in thequery part of the URL, then the character " isn't percentage encoded.
Setting fcchtmlencoding to "yes" solves the vulnerability that a bugin Internet Explorer browser introduces.
IE URI Encoding Behavior Facilitates XSS Attacks, Researchers Sayhttps://www.pcworld.com/article/248408/ie_uri_encoding_behavior_facilitates_xss_attacks_researchers_say.html
But we don't want to use fcchtmlencoding, as the HTML encodingdoesn't apply to the other browsers that show the " character as %22instead (Percent-Encoding).
More, according to rfc3986, the URL should be percent-encoded. TheHTML encoding should be reserved to the content of a web page.
"A percent-encoding mechanism is used to represent a data octet in acomponent when that octet's corresponding character is outside theallowed set or is being used as a delimiter of, or within, thecomponent.
Under normal circumstances, the only time when octets within a URIare percent-encoded is during the process of producing the URI fromits component parts."
Uniform Resource Identifier (URI): Generic Syntaxhttps://tools.ietf.org/html/rfc3986#section-2.1
and HTML encoding should be use for an HTML entity :
Browser Security Handbook, part 1Hypertext Markup Language HTML entity encoding
HTML entity encoding HTML features a special encoding schemecalled HTML entities. The purpose of this scheme is to make itpossible to safely render certain reserved HTML characters (e.g., < >&) within documents, as well as to carry high bit characters safelyover 7-bit media. The scheme nominally permits three types ofnotation:
One of predefined, named entities, in the format of &; - forexample < for <, > for >, → for →, etc,
Decimal entities, &#;, with a number corresponding to thedesired Unicode character value - for example < for <, →for →,
Hexadecimal entities, &#x;, likewise - for example < for<, → for →.
How can we solve this ?
The behavior you see is as per design.
You are expecting that Web Agent to encode the " character whilesmencoding the target URL , when redirecting forcredentials(login.fcc) to make the browser functionality look similar.
But IE is not encoding " character while sending the request towebserver, whereas Firefox sends " as %22 while sending it towebserver.
IE: " character received as " by webserver.Firefox: " character received as %22 by webserver.
The Web Agent is designed to make sure that URL is preserved as it iseven after authentication and authorization. For example if input URLto WA is http://server.com/index.html?key="val", the output URL(after authentication/authorization) will be same as input. If input URL issay http://server.com/index.html?key=%22val%22, then output URL will be same. In this scenario " is encoded.
KB : KB000092571