This rule flags URIs from a JSP link tag (<a>) or a form action tag (<form action=>) that contain a plus (+
) sign that is not in the query parameters portion of the URL.
Prior to WebSphere Application Server Version 5.1, when a URL was decoded, the whole URL was decoded, not just the query parameters. The web container was changed to not treat plus as a special sign when it is not in the query parameters. In Version 5.1.1.11 a web container custom property was added to go back to the original behavior of decoding the plus.
If you have URLs that contain a plus that should not be decoded, you must set the web container custom property com.ibm.ws.webcontainer.decodeURLPlusSign to false. The default behavior is true.
Example 1.
|
1. <a href='http://sample.com/some+path'>My Link</a>
2. <a href='http://sample.com/some+path?var=val'>My Link</a> 3. <a href='http://sample.com/somepath?var=val1+val2'>My Link</a> |
In Example 1, the rule will flag entry number 1 and 2 as they both contain the + sign outside the query parameters
Example 2:
|
1.<form action="some+path/"> ... </form>
2.<form action="somepath/"> ... </form> |
In Example 2, the rule will flag the first entry only.
For additional information, see java.net.URL Java documentation.