From 951f05766cc43d6d7cfc3a0d4ec5a8667f966bb5 Mon Sep 17 00:00:00 2001
From: devloop <nicolas.surribas@gmail.com>
Date: Wed, 31 Jul 2024 20:59:33 +0200
Subject: [PATCH] Support more usual cases for string_without_payload

---
 tests/attack/test_mod_ldap.py |  2 ++
 wapitiCore/attack/mod_ldap.py | 11 ++++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/tests/attack/test_mod_ldap.py b/tests/attack/test_mod_ldap.py
index a1d0072f1..dcc9e2d17 100644
--- a/tests/attack/test_mod_ldap.py
+++ b/tests/attack/test_mod_ldap.py
@@ -20,6 +20,8 @@
 def test_string_without_payload():
     assert string_without_payload("Hello <there>", "<there>") == "Hello "
     assert string_without_payload("Hello &lt;there&gt;", "<there>") == "Hello "
+    assert string_without_payload("Hello+%3Cthere%3E", " <there>") == "Hello"
+    assert string_without_payload("Hello%20%3Cthere%3E", " <there>") == "Hello"
 
 
 def test_find_ldap_error():
diff --git a/wapitiCore/attack/mod_ldap.py b/wapitiCore/attack/mod_ldap.py
index 825e49b19..344916c27 100644
--- a/wapitiCore/attack/mod_ldap.py
+++ b/wapitiCore/attack/mod_ldap.py
@@ -22,6 +22,7 @@
 from os.path import join as path_join
 from typing import Optional, Iterator, List, Tuple, Dict, Any
 from hashlib import md5
+from urllib.parse import quote_plus, quote
 
 from httpx import RequestError
 
@@ -44,7 +45,15 @@ class PayloadInfo:
 def string_without_payload(text: str, payload: str) -> str:
     # Most search pages will show your search term. This will make the hash of the page change each time
     # We remove here the search term its possible HTML escaped version.
-    return text.replace(payload, "").replace(html.escape(payload), "")
+    return text.replace(
+        payload, ""
+    ).replace(
+        html.escape(payload), ""
+    ).replace(
+        quote_plus(payload), ""
+    ).replace(
+        quote(payload), "",
+    )
 
 
 # from https://github.com/andresriancho/w3af/blob/master/w3af/plugins/audit/ldapi.py