Return-Path: Delivered-To: apmail-click-dev-archive@www.apache.org Received: (qmail 49199 invoked from network); 14 Nov 2010 11:13:10 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 14 Nov 2010 11:13:10 -0000 Received: (qmail 13330 invoked by uid 500); 14 Nov 2010 11:13:41 -0000 Delivered-To: apmail-click-dev-archive@click.apache.org Received: (qmail 13269 invoked by uid 500); 14 Nov 2010 11:13:40 -0000 Mailing-List: contact dev-help@click.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@click.apache.org Delivered-To: mailing list dev@click.apache.org Received: (qmail 13262 invoked by uid 99); 14 Nov 2010 11:13:39 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 14 Nov 2010 11:13:39 +0000 X-ASF-Spam-Status: No, hits=-1998.7 required=10.0 tests=ALL_TRUSTED,URI_HEX X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 14 Nov 2010 11:13:34 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id oAEBDDqJ011440 for ; Sun, 14 Nov 2010 11:13:14 GMT Message-ID: <6863920.68461289733193733.JavaMail.jira@thor> Date: Sun, 14 Nov 2010 06:13:13 -0500 (EST) From: "Bob Schellink (JIRA)" To: dev@click.apache.org Subject: [jira] Commented: (CLK-685) AbstractLink should only bind explicitly defined parameters for Ajax requests MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLK-685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12931810#action_12931810 ] Bob Schellink commented on CLK-685: ----------------------------------- This has been implemented as follows: - When processing an Ajax request, only the parameters that exist in the link parameter map will be bound. This ensures that extra parameters added by an Ajax request won't be added to the link, and leak parameters on subsequent requests - A new helper method, defineParameter(String name), has been added which will ensure a parameter with that name exists on the link > AbstractLink should only bind explicitly defined parameters for Ajax requests > ----------------------------------------------------------------------------- > > Key: CLK-685 > URL: https://issues.apache.org/jira/browse/CLK-685 > Project: Click > Issue Type: Sub-task > Components: core > Affects Versions: 2.2.0 > Reporter: Bob Schellink > Assignee: Bob Schellink > Fix For: 2.3.0-M1 > > > AbstractLink binds all incoming request parameters to its own parameter map. This makes the link quite easy to use but has the potential to leak parameters which isn't targeted at the link. It also duplicates the parameters already present on the Context. > The problem becomes obvious when using Ajax to invoke a link. Any extra parameters passed for the Ajax request will be added to the link parameter map. > It is not common for applications to use link.getParameter and with the above mentioned issues I suggest we remove getParameter, getParameterValues and getParameters from AbstractLink. Click won't bind incoming request parameters to the link. However it will still be possible to set link parameters and render them. > See http://click.1134972.n2.nabble.com/AbstractLink-request-parameter-leak-tp5139164p5139164.html for more details. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.