You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Hudson (Commented) (JIRA)" <ji...@apache.org> on 2011/10/03 10:56:34 UTC

[jira] [Commented] (WW-3688) JavaScript URL validator in the FreeMarker template fails many valid URLs

    [ https://issues.apache.org/jira/browse/WW-3688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13119209#comment-13119209 ] 

Hudson commented on WW-3688:
----------------------------

Integrated in Struts2 #358 (See [https://builds.apache.org/job/Struts2/358/])
    WW-3688 JavaScript URL validator in the FreeMarker template fails many valid URLs

mcucchiara : 
Files : 
* /struts/struts2/trunk/core/src/main/resources/template/xhtml/form-close-validate.ftl

                
> JavaScript URL validator in the FreeMarker template fails many valid URLs
> -------------------------------------------------------------------------
>
>                 Key: WW-3688
>                 URL: https://issues.apache.org/jira/browse/WW-3688
>             Project: Struts 2
>          Issue Type: Bug
>            Reporter: Brett Porter
>            Assignee: Maurizio Cucchiara
>             Fix For: 2.3
>
>         Attachments: WW-3688.diff
>
>
> As far as I can tell, it will not allow the following in the path/query of an URL:
> "&", ";", "=" (query string)
> "+", "%" (encoded characters)
> "." (extensions)
> There are several others.
> In addition, particular hosts are not valid due to a lack of country code:
> - localhost
> - http://xn--rsum-bpad.example.org (from IRIs)
> - 10.1.1.1
> My understanding of the URI specification (http://tools.ietf.org/html/rfc3986) is that the following delimiters are valid unencoded: {{:/@!$&'()*+,;=}}, and the following characters are also allowed: {{.-_~}}, as well as pct-encoded {{%xx}}
> I've attached a patch to allow the extra characters, and to use those definitions for the userinfo and host as allowed in the spec. I've also broken out path, query and fragment explicitly.
> There are still several other valid URIs that this won't allow (e.g. file:///..., IPv6 addresses), and there's a chance that the server-side validation (using java.net.URL) will differ to the client side - so it may be good to allow URL validation to be deferred to the server as an option as well.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira