NSE function url.escape is currently using lower-case hexadecimal digits to perform URL encoding (a.k.a. percent encoding). While this is allowed by RFC 3986, section 2.1, it is also recommended that upper-case digits are used:
For consistency, URI producers and normalizers should use uppercase hexadecimal digits for all percent-encodings.
Implementing this change would bring the NSE implementation in line with browser behavior but, more importantly, there are real-world web servers, such as Tridium Niagara, that do not properly parse lower-case hexadecimal digits.
The code change is trivial, but the function is very widely used throughout the NSE code base so it deserves an opportunity for discussion. If no objections are raised then the following patch will be committed in early May:
--- a/nselib/url.lua+++ b/nselib/url.lua@@ -58,7 +58,7 @@
local function hex_esc (c)
- return string.format("%%%02x", string.byte(c))+ return string.format("%%%02X", string.byte(c))
-- these are allowed within a path segment, along with alphanum
The text was updated successfully, but these errors were encountered: