tomcaturlencodetomcat9cargohippocms

Tomcat rejects URL encoded "<" and ">" symbols


Tomcat 9.0.54 rejects my URL because of the "<" and ">" symbols. It rejects it also when in percent encoded forms "%3C" and "%3E". I also tried adding relaxedQueryChars="&lt;&gt;" to the Connector in the server.xml but without avail.

The Tomcat instance is spun up by Cargo when running the Bloomreach CMS. The URL is as follows:

http://localhost:8080/site/api/documents?_expr=(hippostdpubwf:lastModificationDate%3Exs:dateTime('2021-04-09T20:56:18.496%2B02:00'))

Changing the %3E to a "=" (%3D) makes the URL accepted by Tomcat.

When spinning up a default Tomcat docker, this issue is not present.

Has anyone had a similar issue or could show me in a direction which might fix this issue?

EDIT: Replacing ">" with "gt" will result in a proper query without having to interfere with the XSSUrlFilter that Jeroen mentioned.


Solution

  • Looks like you're hitting the org.hippoecm.hst.container.XSSUrlFilter that is present by default in the web.xml of the site webapp.

    It's a simple, extendable filter to prevent basic scripting attacks. Regards, Jeroen

    PS you might like the forums at community.bloomreach.com