Log Message: |
Improved: Fixing defects reported by FindBugs, package
org.apache.ofbiz.securityext.login.
(OFBIZ-9637)
No functional change.
I prefer to use URLEncoder.encode(reqParam, "UTF-8") rather than ESAPI HTML
encoder for 3 reasons:
* URLEncoder.encode() is sufficient to answer to HTTP response splitting using
Percent-encoding (aka URL encoding)
* Consistent and simpler code using basic Java
* Using "UTF-8" is (more than) recommended, see
https://docs.oracle.com/javase/8/docs/api/java/net/URLEncoder.html
I will check what using ESAPI HTML encoder entails. As JavaDOc says "Not doing
so may introduce incompatibilities." We have 30+ cases, they are maybe OK, but
we need to check...
|