[filter-advanced-encodings] stanza

Use the [filter-advanced-encodings] stanza to configure the types of URL encoding that are detected and filtered.

Syntax

[filter-advanced-encodings]
     <escaping method> = <chars to escape>
     <escaping method> = <chars to escape>
     ...

Description

The WebSEAL advanced filtering can process a number of URL encoding types. Use this stanza to define the types of encoding to be detected and filtered.

Options

<escaping method>

ampersand

Ampersand encoded. For example:

HTTP://host:port/path?V1=D1&V2=D2

ampersand-hex

Ampersand just hex encoded. For example:

HTTP&amp;#x3a;&amp;#x2f;&amp;#x2f;host&amp;#x3a;port&amp;#x2f;

ampersand-dec

Ampersand just dec encoded. For example:

HTTP&amp;#58;&amp;#57;&amp;#57;host&amp;#58;port&amp;#57;

escaped

Backslash encoded. For example:

HTTP:\/\/host:port\/

percent

Percent hex encoded. For example:

HTTP%3A%2F%2Fhost%3Aport%2F

escaped-u

Backslash U hex encoded. For example:

HTTP:\u002f\u002fhost:port\u002f

percent-u

Percent U hex encoded. For example:

HTTP%u003a//host%u003aport/

escaped-x

Backslash X hex encoded. For example:

HTTP\x3A\x2F\x2Fhost\x3Aport\x2F

<chars to escape>

A list of characters that need encoding, which are governed by the following rules:

If two characters are separated by a '-' (hyphen) character, then this is a range of characters to encode. For example, "A-Z" indicates all characters from 'A' to 'Z' including 'A' and 'Z'.
If the first character in the list is the '^' character, then the list of characters are those not to encode. For example "^A-Za-z" indicates all characters excluding characters from 'A' to 'Z' and excluding characters from 'a' to 'z'.
If the first character (excluding the '^' character) is a '-' (hyphen) character, then that is taken as the literal '-' character rather than representing a range of characters.

Usage

It is permissible to have multiple entries with the same <escaping method>, if they produce different encodings of the "://" string.

WebSEAL uses the <escaping method> against <chars to escape> to encode the string "://" and use that encoded value in combination with "http" or "https" to detect encoded URLs. The very first entry should be to define the "ampersand" encoding method and not list the character ':' and '/' in the <chars to escape>. This then matches URLs with an un-encoded "://".

Default value

None.

Example

[filter-advanced-encodings]
ampersand     = &amp;<&gt;"'
ampersand-hex = ^a-zA-Z0-9.
ampersand-dec = ^a-zA-Z0-9.
percent       = ^a-zA-Z0-9.
escaped-x     = ^a-zA-Z0-9.

This example specifies the following behavior:

ampersand = &<>"': This allows WebSEAL to find and filter unencoded links such as "http://backend.com:80/". It identifies the link by looking for "http" or "https" followed by "://". Any WebSEAL host name or junction path replaced in the filtered link will have the characters &<>"' replaced by their encoded forms, &amp; &lt; &gt; &quot; and &#x2c; respectively.
ampersand-hex = ^a-zA-Z0-9.: This allows WebSEAL to find and filter ampersand hex encoded links such as "http://backend.com:80/". It identifies the link embedded in java script by looking for "http" or "https" followed by "://". Any WebSEAL host name or junction path replaced in the filtered link will have the characters not in the set a-zA-Z0-9. replaced by their encoded forms &#xHH;.
ampersand-dec = ^a-zA-Z0-9.: This allows WebSEAL to find and filter ampersand hex encoded links such as "http://backend.com:80/". It identifies the link embedded in java script by looking for "http" or "https" followed by "://". Any WebSEAL host name or junction path replaced in the filtered link will have the characters not in the set a-zA-Z0-9. replaced by their encoded forms &#DDD;.
percent = ^a-zA-Z0-9.: This allows WebSEAL to find and filter ampersand hex encoded links such as "http%3a%2f%2fbackend.com%3a80%2f". It identifies the link embedded in java script by looking for "http" or "https" followed by "%3a%2f%2f". Any WebSEAL host name or junction path replaced in the filtered link will have the characters not in the set a-zA-Z0-9. replaced by their encoded forms %HH. This may be required for attributes with Flash URLs.
escaped-x = ^a-zA-Z0-9.: This allows WebSEAL to find and filter ampersand hex encoded links such as "http\x3a\x2f\x2fbackend.com\x3a80\x2f". It identifies the link embedded in java script by looking for "http" or "https" followed by "\x3a\x2f\x2f". Any WebSEAL host name or junction path replaced in the filtered link will have the characters not in the set a-zA-Z0-9. replaced by their encoded forms \xHH. This may be required for Javascript encoded URLs.