Issue with decodeFromURL method in the DefaultEncoder

Description

From vansu...@gmail.com on June 09, 2013 20:07:47

What steps will reproduce the problem? see sample code
String orig = " http://abc.com?custno=75&product=ANLYZR1"; String esapiDecode = ESAPI.encoder().decodeFromURL(orig);
System.out.println("ESAPI decode 2: " + esapiDecode); What is the expected output? What do you see instead? I expect the same url as the orig url to be presented .. Instead i see the following ESAPI decode 2: http://abc.com?custno=75?uct=ANLYZR1 notice the @prod got dropped and became ?uct What version of the product are you using? On what operating system? 2.0.1 Does this issue affect only a specified browser or set of browsers? All browsers affected Please provide any additional information below. What I have found if i change the product to pr8duct and i get the result as &pr8duct

I have narrowed it down to the Cannonilize method and especially the percentcodec

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=301

Environment

None

Status

Assignee

Unassigned

Reporter

Max Gelman

Priority

Configure