struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthias Kerkhoff <m...@BESToffers.de>
Subject Beanutils.filter() and URLs
Date Mon, 13 Nov 2000 14:22:53 GMT
Hi all,

this time I would like to bring your attention to (yet undetected?)
problems with BeanUtils.filter(), if used to encode URLs.


The situation:
--------------
This method is used from various tags of the Struts codebase. From
the way how it's used, it seems that most developers think of this
method as a way to savely encode characters that have a special
meaning in/for HTML _and_ HTTP. Examples of the typical usage of
filter() include the encoding of query parameters and the encoding
of HTML content.


The problem:
------------
The set of characters with a special meaning largely depend on the
context, in which the string is used.
Some examples:
The '#' character is used to as delimiter for anchors in URLs, but
has no special meaning in HTML content. filter() does not encode
the anchor.
The '%' character is used to mark encoded characters in URLs, but
has no special meaning in HTML content. filter() does not encode
the percentage sign.
The '&' character is used to mark the beginning of an character
entity. In URLs, it has varying meanings, it's fe. used as a
separator in query-strings but is otherwise allowed (mostly).
filter() always encodes the ampersand sign.
The '[' and ']' characters which are used internally as index marker
in Struts are mentioned as 'unwise' in the RFC spec, that is, they
should better be encoded. filter() does not encode these characters.


How it manifests:
----------------
A good example to illustrate the problem is the link tag. The link
tag contains some code that builds an URL and optionally appends
some bean properties after URLencoding the values..

After the URL is build, the whole URL is filter'ed. This results in
% sign's being encoded twice (they're already URLencoded);
& being encoded once as &amp; (may cause problems depending on the
  server software, that may (or may not) recognize &amp; as query
  parameter separator;
[]not being encoded at all (this may become important, when Struts
  supports nested properties in the form tags)


(Possible) solution:
--------------------
Adding a static method String filterFor(int context, String value){..}
that accepts an additional context argument. This argument should
be used to indicate the intended use of the filtered string. The
method should properly encode the given value with regards to the
specified context. Some candidates for context types are ...
- HTML
  (should resolve to URLEncoder.encode)
- URIPATH
  (encodes the path component of an URL)
- QUERYPARAM
  (encodes the name or value of an query argument)


-- 
Matthias                          mailto:make@BESToffers.de



Mime
View raw message