We're running Web Agent with and when accessing a resource with
Internet Explorer, if the protected resources has a " character in the
query part of the URL, then the character " isn't percentage encoded.
Setting fcchtmlencoding to "yes" solves the vulnerability that a bug
in Internet Explorer browser introduces.
IE URI Encoding Behavior Facilitates XSS Attacks, Researchers Say
But we don't want to use fcchtmlencoding, as the HTML encoding
doesn't apply to the other browsers that show the " character as %22
More, according to rfc3986, the URL should be percent-encoded. The
HTML encoding should be reserved to the content of a web page.
"A percent-encoding mechanism is used to represent a data octet in a
component when that octet's corresponding character is outside the
allowed set or is being used as a delimiter of, or within, the
Under normal circumstances, the only time when octets within a URI
are percent-encoded is during the process of producing the URI from
its component parts."
Uniform Resource Identifier (URI): Generic Syntax
and HTML encoding should be use for an HTML entity :
Browser Security Handbook, part 1
Hypertext Markup Language
HTML entity encoding
HTML entity encoding HTML features a special encoding scheme
called HTML entities. The purpose of this scheme is to make it
possible to safely render certain reserved HTML characters (e.g., < >
&) within documents, as well as to carry high bit characters safely
over 7-bit media. The scheme nominally permits three types of
One of predefined, named entities, in the format of &; - for
example < for <, > for >, → for →, etc,
Decimal entities, &#;, with a number corresponding to the
desired Unicode character value - for example < for <, →
Hexadecimal entities, &#x;, likewise - for example < for
<, → for →.
How can we solve this ?
The behavior you see is as per design.
You are expecting that Web Agent to encode the " character while
smencoding the target URL , when redirecting for
credentials(login.fcc) to make the browser functionality look similar.
But IE is not encoding " character while sending the request to
webserver, whereas Firefox sends " as %22 while sending it to
IE: " character received as " by webserver.
Firefox: " character received as %22 by webserver.
The Web Agent is designed to make sure that URL is preserved as it is
even after authentication and authorization. For example if input URL
to WA is http://server.com/index.html?key="val", the output URL(after
authentication/authorization) will be same as input. If input URL is
say http://server.com/index.html?key=%22val%22, then output URL will
be same. In this scenario " is encoded.