In the cases where url are sent in headers we dont must to sanitize it. (#735)

iroqueta · web-flow · commit 81834e78bab5 · 2023-06-21T10:44:54.000-03:00
* In the cases where url are sent in headers we dont must to sanitize it.
Issue: 103288

* For the moment we are not going to sanitize header values because it's taking a lot of problem.
diff --git a/gxweb/src/main/java/com/genexus/internet/HttpAjaxContext.java b/gxweb/src/main/java/com/genexus/internet/HttpAjaxContext.java
@@ -1358,7 +1358,7 @@ public void redirect_impl(String url, IGXWindow win) {
 
 			if (isSpaRequest(true)) {
 				pushUrlSessionStorage();
-				getResponse().setHeader(GX_SPA_REDIRECT_URL, url + popLvlParm);
+				getResponse().setHeader(GX_SPA_REDIRECT_URL, url + popLvlParm, false);
 				sendCacheHeaders();
 			} else {
 				redirect_http(url + popLvlParm);
diff --git a/java/src/main/java/com/genexus/webpanels/HttpContextWeb.java b/java/src/main/java/com/genexus/webpanels/HttpContextWeb.java
@@ -1318,7 +1318,7 @@ protected void redirect_http(String url) {
 				} else {
 					pushUrlSessionStorage();
 					if (useCustomRedirect()) {
-						getResponse().setHeader("Location", url);
+						getResponse().setHeader("Location", url, false);
 						getRequest().setAttribute("gx_webcall_method", "customredirect");
 						getResponse().setStatus(HttpServletResponse.getSC_MOVED_TEMPORARILY());
 					} else {
@@ -1336,7 +1336,7 @@ private void doRedirect(String url) throws IOException {
 		getRequest().setAttribute("gx_webcall_method", "redirect");
 		// getResponse().sendRedirect(url); No retornamos 302 sino 301, debido al SEO.
 		response.setStatus(HttpServletResponse.getSC_MOVED_PERMANENTLY());
-		response.setHeader("Location", url);
+		response.setHeader("Location", url, false);
 		sendCacheHeaders();
 	}
 
diff --git a/wrapperjakarta/src/main/java/com/genexus/servlet/http/HttpServletResponse.java b/wrapperjakarta/src/main/java/com/genexus/servlet/http/HttpServletResponse.java
@@ -28,9 +28,9 @@ public void setHeader(String name, String value) {
 	}
 
 	public void setHeader(String name, String value, boolean sanitize) {
-		if (sanitize)
-			resp.setHeader(name, CommonUtil.Sanitize(value, CommonUtil.HTTP_HEADER_WHITELIST));
-		else
+		//if (sanitize)
+		//	resp.setHeader(name, CommonUtil.Sanitize(value, CommonUtil.HTTP_HEADER_WHITELIST));
+		//else
 			resp.setHeader(name, value);
 	}
 
diff --git a/wrapperjavax/src/main/java/com/genexus/servlet/http/HttpServletResponse.java b/wrapperjavax/src/main/java/com/genexus/servlet/http/HttpServletResponse.java
@@ -28,9 +28,9 @@ public void setHeader(String name, String value) {
 	}
 
 	public void setHeader(String name, String value, boolean sanitize) {
-		if (sanitize)
-			resp.setHeader(name, CommonUtil.Sanitize(value, CommonUtil.HTTP_HEADER_WHITELIST));
-		else
+		//if (sanitize)
+		//	resp.setHeader(name, CommonUtil.Sanitize(value, CommonUtil.HTTP_HEADER_WHITELIST));
+		//else
 			resp.setHeader(name, value);
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -28,9 +28,9 @@ public void setHeader(String name, String value) {`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`public void setHeader(String name, String value, boolean sanitize) {`
`31`		`- if (sanitize)`
`32`		`- resp.setHeader(name, CommonUtil.Sanitize(value, CommonUtil.HTTP_HEADER_WHITELIST));`
`33`		`- else`
	`31`	`+ //if (sanitize)`
	`32`	`+ // resp.setHeader(name, CommonUtil.Sanitize(value, CommonUtil.HTTP_HEADER_WHITELIST));`
	`33`	`+ //else`
`34`	`34`	`resp.setHeader(name, value);`
`35`	`35`	`}`
`36`	`36`