[filter-advanced-encodings] stanza
Use the [filter-advanced-encodings] stanza to configure the types of URL encoding that are detected and filtered.
Syntax
[filter-advanced-encodings]
<escaping method> = <chars to escape>
<escaping method> = <chars to escape>
...
Description
The WebSEAL advanced filtering can process a number of URL encoding types. Use this stanza to define the types of encoding to be detected and filtered.
Options
- <escaping method>
- ampersand
- Ampersand
encoded. For example:
HTTP://host:port/path?V1=D1&V2=D2
- ampersand-hex
- Ampersand just hex encoded.
For example:
HTTP&#x3a;&#x2f;&#x2f;host&#x3a;port&#x2f;
- ampersand-dec
- Ampersand just dec encoded.
For example:
HTTP&#58;&#57;&#57;host&#58;port&#57;
- escaped
- Backslash encoded. For example:
HTTP:\/\/host:port\/
- percent
- Percent hex encoded. For example:
HTTP%3A%2F%2Fhost%3Aport%2F
- escaped-u
- Backslash U hex encoded.
For example:
HTTP:\u002f\u002fhost:port\u002f
- percent-u
- Percent U hex encoded. For
example:
HTTP%u003a//host%u003aport/
- escaped-x
- Backslash X hex encoded.
For example:
HTTP\x3A\x2F\x2Fhost\x3Aport\x2F
- <chars to escape>
- A list of characters that need encoding, which are governed by
the following rules:
- If two characters are separated by a '-' (hyphen) character, then this is a range of characters to encode. For example, "A-Z" indicates all characters from 'A' to 'Z' including 'A' and 'Z'.
- If the first character in the list is the '^' character, then the list of characters are those not to encode. For example "^A-Za-z" indicates all characters excluding characters from 'A' to 'Z' and excluding characters from 'a' to 'z'.
- If the first character (excluding the '^' character) is a '-' (hyphen) character, then that is taken as the literal '-' character rather than representing a range of characters.
Usage
It is permissible to have multiple entries with the same <escaping method>, if they produce different encodings of the "://" string.
WebSEAL uses the <escaping method> against <chars to escape> to encode the string "://" and use that encoded value in combination with "http" or "https" to detect encoded URLs. The very first entry should be to define the "ampersand" encoding method and not list the character ':' and '/' in the <chars to escape>. This then matches URLs with an un-encoded "://".
Default value
None.
Example
[filter-advanced-encodings]
ampersand = &<>"'
ampersand-hex = ^a-zA-Z0-9.
ampersand-dec = ^a-zA-Z0-9.
percent = ^a-zA-Z0-9.
escaped-x = ^a-zA-Z0-9.
This example specifies the following behavior:
- ampersand = &<>"'
- This allows WebSEAL to find and filter unencoded links such as "http://backend.com:80/". It identifies the link by looking for "http" or "https" followed by "://". Any WebSEAL host name or junction path replaced in the filtered link will have the characters &<>"' replaced by their encoded forms, & < > " and , respectively.
- ampersand-hex = ^a-zA-Z0-9.
- This allows WebSEAL to find and filter ampersand hex encoded links such as "http://backend.com:80/". It identifies the link embedded in java script by looking for "http" or "https" followed by "://". Any WebSEAL host name or junction path replaced in the filtered link will have the characters not in the set a-zA-Z0-9. replaced by their encoded forms &#xHH;.
- ampersand-dec = ^a-zA-Z0-9.
- This allows WebSEAL to find and filter ampersand hex encoded links such as "http://backend.com:80/". It identifies the link embedded in java script by looking for "http" or "https" followed by "://". Any WebSEAL host name or junction path replaced in the filtered link will have the characters not in the set a-zA-Z0-9. replaced by their encoded forms &#DDD;.
- percent = ^a-zA-Z0-9.
- This allows WebSEAL to find and filter ampersand hex encoded links such as "http%3a%2f%2fbackend.com%3a80%2f". It identifies the link embedded in java script by looking for "http" or "https" followed by "%3a%2f%2f". Any WebSEAL host name or junction path replaced in the filtered link will have the characters not in the set a-zA-Z0-9. replaced by their encoded forms %HH. This may be required for attributes with Flash URLs.
- escaped-x = ^a-zA-Z0-9.
- This allows WebSEAL to find and filter ampersand hex encoded links such as "http\x3a\x2f\x2fbackend.com\x3a80\x2f". It identifies the link embedded in java script by looking for "http" or "https" followed by "\x3a\x2f\x2f". Any WebSEAL host name or junction path replaced in the filtered link will have the characters not in the set a-zA-Z0-9. replaced by their encoded forms \xHH. This may be required for Javascript encoded URLs.