Fix ill-encoding of UriBuilder class (#1598)

This method misses URLEncode.encode() encapsulation, which leaves the danger of URL injection.

Fix ill-encoding of UriBuilder class (#1598)
This method misses URLEncode.encode() encapsulation, which leaves the danger of URL injection.
5389d426 · jerry73204 · Jeffrey Schiller · 90bad32f · 5389d426
Commit 5389d426 authored Mar 13, 2019 by jerry73204 Committed by Jeffrey Schiller Mar 12, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

appinventor/appengine/src/com/google/appinventor/server/util/UriBuilder.java ...ne/src/com/google/appinventor/server/util/UriBuilder.java +3 -1

No files found.
--- a/appinventor/appengine/src/com/google/appinventor/server/util/UriBuilder.java
+++ b/appinventor/appengine/src/com/google/appinventor/server/util/UriBuilder.java
@@ -11,6 +11,8 @@

 package com.google.appinventor.server.util;

+import java.net.URLEncoder;
+
 public class UriBuilder {
  private StringBuilder sb = new StringBuilder();
  private boolean first = true;
@@ -30,7 +32,7 @@ public class UriBuilder {
    } else {
      sb.append("&");
    }
-    sb.append(key + "=" + value);
+    sb.append(URLEncoder.encode(key) + "=" + URLEncoder.encode(value));
    return this;
  }