Return-Path: Delivered-To: apmail-click-dev-archive@www.apache.org Received: (qmail 722 invoked from network); 30 Jun 2010 13:58:16 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 30 Jun 2010 13:58:16 -0000 Received: (qmail 976 invoked by uid 500); 30 Jun 2010 13:58:16 -0000 Delivered-To: apmail-click-dev-archive@click.apache.org Received: (qmail 905 invoked by uid 500); 30 Jun 2010 13:58:15 -0000 Mailing-List: contact dev-help@click.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@click.apache.org Delivered-To: mailing list dev@click.apache.org Received: (qmail 881 invoked by uid 99); 30 Jun 2010 13:58:14 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Jun 2010 13:58:14 +0000 X-ASF-Spam-Status: No, hits=-1998.7 required=10.0 tests=ALL_TRUSTED,URI_HEX X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Jun 2010 13:58:11 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id o5UDvoll013468 for ; Wed, 30 Jun 2010 13:57:50 GMT Message-ID: <25280311.133601277906270035.JavaMail.jira@thor> Date: Wed, 30 Jun 2010 09:57:50 -0400 (EDT) From: "Bob Schellink (JIRA)" To: dev@click.apache.org Subject: [jira] Updated: (CLK-685) Deprecate AbstractLink parameters binding - binding link parameters can lead to leaking parameters, especially for Ajax requests. In-Reply-To: <17845824.20911275981912830.JavaMail.jira@thor> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/CLK-685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bob Schellink updated CLK-685: ------------------------------ Summary: Deprecate AbstractLink parameters binding - binding link parameters can lead to leaking parameters, especially for Ajax requests. (was: Links should be able to restrict parameter binding for Ajax requests) Description: AbstractLink binds all incoming request parameters to its own parameter map. This makes the link quite easy to use but has the potential to leak parameters which isn't targeted at the link. It also duplicates the parameters already present on the Context. The problem becomes obvious when using Ajax to invoke a link. Any extra parameters passed for the Ajax request will be added to the link parameter map. It is not common for applications to use link.getParameter and with the above mentioned issues I suggest we remove getParameter, getParameterValues and getParameters from AbstractLink. Click won't bind incoming request parameters to the link. However it will still be possible to set link parameters and render them. See http://click.1134972.n2.nabble.com/AbstractLink-request-parameter-leak-tp5139164p5139164.html for more details. was: AbstractLink binds all incoming request parameters to its own parameter map. This makes the link quite easy to use but has the potential to leak parameters which isn't targeted at the link. The problem becomes obvious when using Ajax to invoke a link. Any extra parameters passed for the Ajax request will be added to the link parameter map. We need to introduce a "strict" parameter binding strategy for links so that only those parameters that was defined *before* the processing event should be bound. The "strict" policy can be set to "on" for Ajax and "off" for normal requests. See http://click.1134972.n2.nabble.com/AbstractLink-request-parameter-leak-tp5139164p5139164.html for more details. I've reverted the strictParameterBinding option and instead deprecated AbtractLink getParameter, getParameters and getParameterValues > Deprecate AbstractLink parameters binding - binding link parameters can lead to leaking parameters, especially for Ajax requests. > --------------------------------------------------------------------------------------------------------------------------------- > > Key: CLK-685 > URL: https://issues.apache.org/jira/browse/CLK-685 > Project: Click > Issue Type: Sub-task > Components: core > Affects Versions: 2.2.0 > Reporter: Bob Schellink > Assignee: Bob Schellink > Fix For: 2.3.0-M1 > > > AbstractLink binds all incoming request parameters to its own parameter map. This makes the link quite easy to use but has the potential to leak parameters which isn't targeted at the link. It also duplicates the parameters already present on the Context. > The problem becomes obvious when using Ajax to invoke a link. Any extra parameters passed for the Ajax request will be added to the link parameter map. > It is not common for applications to use link.getParameter and with the above mentioned issues I suggest we remove getParameter, getParameterValues and getParameters from AbstractLink. Click won't bind incoming request parameters to the link. However it will still be possible to set link parameters and render them. > See http://click.1134972.n2.nabble.com/AbstractLink-request-parameter-leak-tp5139164p5139164.html for more details. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.