This rule flags URLs that contain a plus ("+") that is not in the query parameters portion of the URL. In Java code, the rule scans for the java.net.URL constructors and inspects the parameters used to create the URL. The rule looks for the plus sign in the URL but not in the query parameters. The query parameters includes everything to the right of the "?" character in the URL.
Prior to WebSphere Application Server Version 5.1, when a URL was decoded, the whole URL was decoded, not just the query parameters. This behavior was not correct, and the web container was changed to not treat plus as a special character when it is not in the query parameters. This caused application regressions, and in Version 5.1.1.11 a web container custom property was added to allow you to control the behavior of decoding the plus. The default behavior for this custom property is the old behavior that decoded plus anywhere in the URL.
If you have URLs that contain a plus that should not be decoded, you must set the web container custom property com.ibm.ws.webcontainer.decodeURLPlusSign to false. The default behavior is true.
The Java rule inspects URL constructors and if possible checks the spec, host, and file parameters of the constructors to verify there are no plus signs. The rule scans constructors that pass String literals or final String variables that are defined in the same compilation unit. If it can inspect the spec, host or file parameters, it will only flag those constructors that violate the rule.
The Java rule will also flag instances of the URL constructor that have the spec, host or file name coded as a variable that cannot be inspected.
Example 1.
|
import java.net.URL; URL url = new URL("http://www.domain.com?id=test&name=plus+sign"); } |
In Example 1, the rule will not flag the URL constructor because the plus sign is in the query parameters.
Example 2:
|
import java.net.URL; URL url = new URL("http://www.domain.com/plus+path?id=test&name=ok"); } |
In Example 2, the rule will flag the URL constructor since there is a plus sign in the path part of the URL.
For additional information, see java.net.URL Java documentation.