You are viewing a plain text version of this content. The canonical link for it is here.
Posted to taglibs-dev@jakarta.apache.org by bu...@apache.org on 2005/12/07 00:31:10 UTC

DO NOT REPLY [Bug 32335] - c:url does not Encode unsafe characters

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=32335>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=32335


pierre.delisle@sun.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From pierre.delisle@sun.com  2005-12-07 00:31 -------
Walter,

<c:url> has been spec'ed to only do URL rewriting.

More specifically, the JSTL spec says:
  "The rewriting must be performed by calling method encodeURL() 
  of the Servlet API."

And the servlet spec does not make any provision to encode
any special character. 

    public String HttpServletResponse.encodeURL(String url)

    This method encodes (rewrites) the specified URL to include the
    session ID and returns the new URL, or, if encoding is not needed
    or not supported, it leaves the URL unchanged. The rules used to
    decide when and how to encode a URL are server-specific. All URLs
    emitted by a servlet should be run through this method. Note that
    this encodeURL( ) method could more properly have been named
    rewriteURL( ) so as not to be confused with the URL encoding
    process that encodes special characters in URL strings.

The call to URLEncoder.encode() must be done explicitely.

However, I do agree it would be convenient if <c:url> not only
did the rewriting, but the encoding as well. Not clear to me why 
the Expert Group did not think of this at the time.

I've submitted an RFE to the JSTL spec so it can be considerered.

See:
https://jstl-spec-public.dev.java.net/issues/show_bug.cgi?id=22

Thanks!  -- Pierre


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: taglibs-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: taglibs-dev-help@jakarta.apache.org