Web Agent should escape URL query " character as Percent Encoded when the browser doesn't escape it
search cancel

Web Agent should escape URL query " character as Percent Encoded when the browser doesn't escape it


Article ID: 92571


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


We're running Web Agent with and when accessing a resource with
Internet Explorer, if the protected resources has a " character in the
query part of the URL, then the character " isn't percentage encoded.

Setting fcchtmlencoding to "yes" solves the vulnerability that a bug 
in Internet Explorer browser introduces. 

IE URI Encoding Behavior Facilitates XSS Attacks, Researchers Say 

But we don't want to use fcchtmlencoding, as the HTML encoding 
doesn't apply to the other browsers that show the " character as %22 
instead (Percent-Encoding). 

More, according to rfc3986, the URL should be percent-encoded. The 
HTML encoding should be reserved to the content of a web page. 

"A percent-encoding mechanism is used to represent a data octet in a 
component when that octet's corresponding character is outside the 
allowed set or is being used as a delimiter of, or within, the 


Under normal circumstances, the only time when octets within a URI 
are percent-encoded is during the process of producing the URI from 
its component parts." 

Uniform Resource Identifier (URI): Generic Syntax 

and HTML encoding should be use for an HTML entity : 

Browser Security Handbook, part 1 
Hypertext Markup Language 
 HTML entity encoding 

HTML entity encoding HTML features a special encoding scheme 
called HTML entities. The purpose of this scheme is to make it 
possible to safely render certain reserved HTML characters (e.g., < > 
&) within documents, as well as to carry high bit characters safely 
over 7-bit media. The scheme nominally permits three types of 

One of predefined, named entities, in the format of &; - for 
example < for <, > for >, → for →, etc, 

Decimal entities, &#;, with a number corresponding to the 
desired Unicode character value - for example < for <, → 
for →, 

Hexadecimal entities, &#x;, likewise - for example < for 
<, → for →. 


How can we solve this ?


Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP


The behavior you see is as per design. 

You are expecting that Web Agent to encode the " character while
smencoding the target URL , when redirecting for
credentials(login.fcc) to make the browser functionality look similar.

But IE is not encoding " character while sending the request to 
webserver, whereas Firefox sends " as %22 while sending it to 

IE: " character received as " by webserver. 
Firefox: " character received as %22 by webserver. 

The Web Agent is designed to make sure that URL is preserved as it is 
even after authentication and authorization. For example if input URL 
to WA is http://server.com/index.html?key="val", the output URL(after 
authentication/authorization) will be same as input. If input URL is 
say http://server.com/index.html?key=%22val%22, then output URL will 
be same. In this scenario " is encoded.