Web Agent should escape URL query " character as Percent Encoded when the browser doesn't escape it

Document ID : KB000092571
Last Modified Date : 20/04/2018
Show Technical Document Details
Issue:
We're running Web Agent with and when accessing a resource with
Internet Explorer, if the protected resources has a " character in the
query part of the URL, then the character " isn't percentage encoded.

Setting fcchtmlencoding to "yes" solves the vulnerability that a bug 
in Internet Explorer browser introduces. 

IE URI Encoding Behavior Facilitates XSS Attacks, Researchers Say 
https://www.pcworld.com/article/248408/ie_uri_encoding_behavior_facilitates_xss_attacks_researchers_say.html 

But we don't want to use fcchtmlencoding, as the HTML encoding 
doesn't apply to the other browsers that show the " character as %22 
instead (Percent-Encoding). 

More, according to rfc3986, the URL should be percent-encoded. The 
HTML encoding should be reserved to the content of a web page. 

"A percent-encoding mechanism is used to represent a data octet in a 
component when that octet's corresponding character is outside the 
allowed set or is being used as a delimiter of, or within, the 
component. 

[...] 

Under normal circumstances, the only time when octets within a URI 
are percent-encoded is during the process of producing the URI from 
its component parts." 

Uniform Resource Identifier (URI): Generic Syntax 
https://tools.ietf.org/html/rfc3986#section-2.1 

and HTML encoding should be use for an HTML entity : 

Browser Security Handbook, part 1 
Hypertext Markup Language 
 HTML entity encoding 

HTML entity encoding HTML features a special encoding scheme 
called HTML entities. The purpose of this scheme is to make it 
possible to safely render certain reserved HTML characters (e.g., < > 
&) within documents, as well as to carry high bit characters safely 
over 7-bit media. The scheme nominally permits three types of 
notation: 

One of predefined, named entities, in the format of &; - for 
example < for <, > for >, → for →, etc, 

Decimal entities, &#;, with a number corresponding to the 
desired Unicode character value - for example < for <, → 
for →, 

Hexadecimal entities, &#x;, likewise - for example < for 
<, → for →. 

https://code.google.com/archive/p/browsersec/wikis/Part1.wiki#HTML_entity_encoding 

How can we solve this ?
Resolution:
The behavior you see is as per design. 

You are expecting that Web Agent to encode the " character while
smencoding the target URL , when redirecting for
credentials(login.fcc) to make the browser functionality look similar.

But IE is not encoding " character while sending the request to 
webserver, whereas Firefox sends " as %22 while sending it to 
webserver. 

IE: " character received as " by webserver. 
Firefox: " character received as %22 by webserver. 

The Web Agent is designed to make sure that URL is preserved as it is 
even after authentication and authorization. For example if input URL 
to WA is http://server.com/index.html?key="val", the output URL(after 
authentication/authorization) will be same as input. If input URL is 
say http://server.com/index.html?key=%22val%22, then output URL will 
be same. In this scenario " is encoded.