click-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Schellink <sab...@gmail.com>
Subject AbstractLink request parameter leak
Date Fri, 04 Jun 2010 12:04:31 GMT
When binding incoming request parameters, AbstractLink adds all incoming parameters to its
own
parameter map.

Given the url: /page.htm?id=5&customer=John

will add both "id" and "customer" to the link parameter map:

assertEquals(5, link.getParameter("id")); // true
assertEquals("John", link.getParameter("customer")); // true

A problem I'm picking up when using AbstractLink to make Ajax GET requests is that all Ajax
request
parameters are also added to the link parameters. If the link is then sent back to the browser
as a
Partial result, the link renders the parameters sent as part of the Ajax request. On subsequent
request the Ajax parameters will again be added to the link which grows unbounded.

One solution could be to only bind parameters that was explicitly set before onProcess:

url: /page.htm?id=5&customer=John

public void onInit() {
  link.setParameter("id", 1);
}

assertEquals(5, link.getParameter("id")); // true
assertEquals("John", link.getParameter("customer")); // false

With the suggested change only "id" will be added to the link params.

This could have an impact on existing apps if they rely on this behavior.

And off course the parameters are still available from Context:

assertEquals("John", getContext().getRequestParameter("customer")); // true

Thoughts?

Bob


Mime
View raw message