You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by Si Chen <si...@opensourcestrategies.com> on 2006/07/13 03:32:36 UTC

url string encoding on re-directs

Hi.

I just noticed that in the request handler, when you redirect  
requests in a request chain or on a request-redirect, it is not  
filtering out special characters, so you can get a URL like this:

151307 (http-0.0.0.0-8443-Processor3) [     RequestHandler.java: 
505:INFO ] [Sending redirect]: /crmsfa/control/viewAccount? 
postalCode=89&attnName=&preContactMechTypeId=POSTAL_ADDRESS&address2=&ad 
dress1=#123  
&countryGeoId=USA&donePage=viewAccount&allowSolicitation=&toName=&city=l 
a&contactMechTypeId=POSTAL_ADDRESS&partyId=DemoAccount1&stateProvinceGeo 
Id=BR-AC

That "#" in the middle will break your URL.

I tracked down the responsible code to here in RequestHandler.java:

    private void callRedirect(String url, HttpServletResponse resp,  
HttpServletRequest req) throws RequestHandlerException {
         if (Debug.infoOn()) Debug.logInfo("[Sending redirect]: " +  
url, module);

Should I change it to clean out the URL first, based on this: http:// 
www.blooberry.com/indexdot/html/topics/urlencoding.htm?  It seems  
like space and ampersand are already taken care of.

Should I put that into the UtilHttp method?

Si

Re: url string encoding on re-directs

Posted by "David E. Jones" <jo...@undersunconsulting.com>.

This is a can of worms. I wouldn't recommend passing so much information in a redirect URL, not ever.

A couple of big problems come to mind right off:

- HTTP URLs are not UTF-8 encoded, or anything i18n friendly encoding, just good old 8859-1 (if I remember right); so including full data in them will always be problematic

- encoding a URL can't be done if all you have is the full URL string; if you have a Map that will go into the parameter string of a URL then you can encode each name/value independently, but by definition the parsing of a full URL is impossible... otherwise encoding wouldn't be needed... ;)

-David


Si Chen wrote:
> Hi.
> 
> I just noticed that in the request handler, when you redirect requests 
> in a request chain or on a request-redirect, it is not filtering out 
> special characters, so you can get a URL like this:
> 
> 151307 (http-0.0.0.0-8443-Processor3) [     RequestHandler.java:505:INFO 
> ] [Sending redirect]: 
> /crmsfa/control/viewAccount?postalCode=89&attnName=&preContactMechTypeId=POSTAL_ADDRESS&address2=&address1=#123 
> &countryGeoId=USA&donePage=viewAccount&allowSolicitation=&toName=&city=la&contactMechTypeId=POSTAL_ADDRESS&partyId=DemoAccount1&stateProvinceGeoId=BR-AC 
> 
> 
> That "#" in the middle will break your URL.
> 
> I tracked down the responsible code to here in RequestHandler.java:
> 
>    private void callRedirect(String url, HttpServletResponse resp, 
> HttpServletRequest req) throws RequestHandlerException {
>         if (Debug.infoOn()) Debug.logInfo("[Sending redirect]: " + url, 
> module);
> 
> Should I change it to clean out the URL first, based on this: 
> http://www.blooberry.com/indexdot/html/topics/urlencoding.htm?  It seems 
> like space and ampersand are already taken care of.
> 
> Should I put that into the UtilHttp method?
> 
> Si