myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott O'Bryan (JIRA)" <...@myfaces.apache.org>
Subject [jira] Commented: (MYFACES-1841) HtmlResponseWriterImpl.writeURIAttribute does not perform proper URLs encoding ( ex: & should be encoded in &amp)
Date Mon, 24 Mar 2008 18:37:28 GMT

    [ https://issues.apache.org/jira/browse/MYFACES-1841?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12581633#action_12581633
] 

Scott O'Bryan commented on MYFACES-1841:
----------------------------------------

Makes sense to me.  Seems to be something that the TCK should have caught though...

> HtmlResponseWriterImpl.writeURIAttribute does not perform proper URLs encoding  ( ex:
& should be encoded in &amp)
> ------------------------------------------------------------------------------------------------------------------
>
>                 Key: MYFACES-1841
>                 URL: https://issues.apache.org/jira/browse/MYFACES-1841
>             Project: MyFaces Core
>          Issue Type: Bug
>          Components: General, Portlet_Support
>    Affects Versions: 1.1.4, 1.1.5,  1.2.0
>         Environment: Windows xp sp2->Jboss portal  2.4.2->tomcat 5.5 ->JSF portlet

>            Reporter: Lorenzo Cerulli
>
> HtmlFormRenderer is the class in charge of rendering the UIForm component and all the
required attibutes.
> This class is in charge of rendering  for example the Form component  tinto <form
id="foo" name="bar" action=/HelloWorldJSFPortletWindow?action=1&org.apache.myfaces.portlet.MyFacesGenericPortlet.VIEW_ID=%2FWEB-INF%2Fjsp%2Findex.
.....> </form>
> During the rendering process the form renderer uses  HtmlResponseWriterImpl.writeURIAttribute
to write the "action" attribute of the form component.
> Generally speaking the action attribute should be acquired using "context.getApplication().getViewHandler().getActionURL(context,
viewid))" and the result  MUST be encoded using "context.getExternalContext().encodeActionURL"
before passing the url to the "HtmlResponseWriterImpl.writeURIAttribute(URL);" This way the
URL will be well formed and will be correctly encoded in the action attribute.
> Even if the HtmlFormRendererBase for example correctly implements this process the resulting
URL is encoded in the action attribute without correctly transforming "&" in "&amp".

> At this point we can argue that this bug could be generated by two different sources:
> 1. Not correct URL encding perfomed by javax.faces.context.FacesContext  during  context.getExternalContext().encodeActionURL[this
is non related to myfaces and probably depend on the PortletResponse object implemented by
the container JBOSS portal in this case]
> 2. Nor correct URI encoding within HtmlResponseWriterImpl.writeURIAttribute(URL) [related
to myfaces]
> Analyzing the source code of the latter i noticed that writeURIAttribute(URL) internally
calls the HTMLEncoder.encode method to perform string encoding if the URI starts with the
"javascript" prefix otherwise does not perform any kind of encoding.
> Probably this is a bug bacause an enforcment of URI encoding rules should be provided
in any case;

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message