You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by "Mikaël Cluseau (JIRA)" <ta...@jakarta.apache.org> on 2005/03/10 00:37:53 UTC
[jira] Created: (TAPESTRY-280) DataSqueezer should URLEncode/Decode its string
DataSqueezer should URLEncode/Decode its string
-----------------------------------------------
Key: TAPESTRY-280
URL: http://issues.apache.org/jira/browse/TAPESTRY-280
Project: Tapestry
Type: Bug
Components: Framework
Versions: 3.0, 3.0.1, 3.1, 3.0.2
Environment: Java AMD64 1.5.01
Reporter: Mikaël Cluseau
I would add a fix in the DataSqueezer: the current implementation allow
Strings like "abc&sp=def" directly in the URL, which creates a second
parameter where only one is expected.
This is very inconvenient when you squeeze callback URLs (I have a
RedirectCallback that squeezes to R{url}). The bug is not obvious (I
first tought the browser was "pretty printing" the URL) as the "?" is
not considered a parameter so, if you have
Login.tap?sp=R/List.tap?sp=1&sp=2, the callback's URL becomes
"/List.tap?sp=1" and you have a second parameter to your Login page...
I think the correct way of encoding parameters is :
...
// TODO For Java 1.3 compatibility, use equivalents from commons-codecs
import java.net.URLEncoder;
import java.net.URLDecoder;
...
public class DataSqueezer {
...
public String squeeze(Object data) throws IOException
{
ISqueezeAdaptor adaptor;
if (data == null)
return NULL_PREFIX;
adaptor = (ISqueezeAdaptor) _adaptors.getAdaptor(data.getClass());
return URLEncoder.encode(adaptor.squeeze(this, data),"UTF-8");
}
...
public Object unsqueeze(String rawString) throws IOException
{
ISqueezeAdaptor adaptor = null;
String string = URLDecoder.decode(rawString, "UTF-8");
if (string.equals(NULL_PREFIX))
return null;
int offset = string.charAt(0) - FIRST_ADAPTOR_OFFSET;
if (offset >= 0 && offset < _adaptorByPrefix.length)
adaptor = _adaptorByPrefix[offset];
// If the adaptor is not otherwise recognized, the it is simply
// an encoded String (the StringAdaptor may not have added
// a prefix).
if (adaptor == null)
return string;
// Adaptor should never be null, because we always supply
// an adaptor for String
return adaptor.unsqueeze(this, string);
}
...
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org
[jira] Resolved: (TAPESTRY-280) DataSqueezer should URLEncode/Decode its string
Posted by "Howard M. Lewis Ship (JIRA)" <ta...@jakarta.apache.org>.
[ http://issues.apache.org/jira/browse/TAPESTRY-280?page=all ]
Howard M. Lewis Ship resolved TAPESTRY-280:
-------------------------------------------
Resolution: Invalid
Assign To: Howard M. Lewis Ship
Haven't seen any updates to this bug, so I'm marking it as invalid.
> DataSqueezer should URLEncode/Decode its string
> -----------------------------------------------
>
> Key: TAPESTRY-280
> URL: http://issues.apache.org/jira/browse/TAPESTRY-280
> Project: Tapestry
> Type: Bug
> Components: Framework
> Versions: 3.0.1, 3.0, 3.0.2
> Environment: Java AMD64 1.5.01
> Reporter: Mikaël Cluseau
> Assignee: Howard M. Lewis Ship
>
> I would add a fix in the DataSqueezer: the current implementation allow
> Strings like "abc&sp=def" directly in the URL, which creates a second
> parameter where only one is expected.
> This is very inconvenient when you squeeze callback URLs (I have a
> RedirectCallback that squeezes to R{url}). The bug is not obvious (I
> first tought the browser was "pretty printing" the URL) as the "?" is
> not considered a parameter so, if you have
> Login.tap?sp=R/List.tap?sp=1&sp=2, the callback's URL becomes
> "/List.tap?sp=1" and you have a second parameter to your Login page...
> I think the correct way of encoding parameters is :
> ...
> // TODO For Java 1.3 compatibility, use equivalents from commons-codecs
> import java.net.URLEncoder;
> import java.net.URLDecoder;
> ...
> public class DataSqueezer {
> ...
> public String squeeze(Object data) throws IOException
> {
> ISqueezeAdaptor adaptor;
> if (data == null)
> return NULL_PREFIX;
> adaptor = (ISqueezeAdaptor) _adaptors.getAdaptor(data.getClass());
> return URLEncoder.encode(adaptor.squeeze(this, data),"UTF-8");
> }
> ...
> public Object unsqueeze(String rawString) throws IOException
> {
> ISqueezeAdaptor adaptor = null;
> String string = URLDecoder.decode(rawString, "UTF-8");
> if (string.equals(NULL_PREFIX))
> return null;
> int offset = string.charAt(0) - FIRST_ADAPTOR_OFFSET;
> if (offset >= 0 && offset < _adaptorByPrefix.length)
> adaptor = _adaptorByPrefix[offset];
> // If the adaptor is not otherwise recognized, the it is simply
> // an encoded String (the StringAdaptor may not have added
> // a prefix).
> if (adaptor == null)
> return string;
> // Adaptor should never be null, because we always supply
> // an adaptor for String
> return adaptor.unsqueeze(this, string);
> }
> ...
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org
[jira] Commented: (TAPESTRY-280) DataSqueezer should URLEncode/Decode its string
Posted by "Howard M. Lewis Ship (JIRA)" <ta...@jakarta.apache.org>.
[ http://issues.apache.org/jira/browse/TAPESTRY-280?page=comments#action_12323025 ]
Howard M. Lewis Ship commented on TAPESTRY-280:
-----------------------------------------------
Isn't the IMarkupWriter responsible for URL encoding/decoding?
This is a tricky issue; I think there are two places where encoding should occur --- in the IMarkupWriter and inside the code related to ILink construction.
> DataSqueezer should URLEncode/Decode its string
> -----------------------------------------------
>
> Key: TAPESTRY-280
> URL: http://issues.apache.org/jira/browse/TAPESTRY-280
> Project: Tapestry
> Type: Bug
> Components: Framework
> Versions: 3.0.1, 3.0, 4.0, 3.0.2
> Environment: Java AMD64 1.5.01
> Reporter: Mikaël Cluseau
>
> I would add a fix in the DataSqueezer: the current implementation allow
> Strings like "abc&sp=def" directly in the URL, which creates a second
> parameter where only one is expected.
> This is very inconvenient when you squeeze callback URLs (I have a
> RedirectCallback that squeezes to R{url}). The bug is not obvious (I
> first tought the browser was "pretty printing" the URL) as the "?" is
> not considered a parameter so, if you have
> Login.tap?sp=R/List.tap?sp=1&sp=2, the callback's URL becomes
> "/List.tap?sp=1" and you have a second parameter to your Login page...
> I think the correct way of encoding parameters is :
> ...
> // TODO For Java 1.3 compatibility, use equivalents from commons-codecs
> import java.net.URLEncoder;
> import java.net.URLDecoder;
> ...
> public class DataSqueezer {
> ...
> public String squeeze(Object data) throws IOException
> {
> ISqueezeAdaptor adaptor;
> if (data == null)
> return NULL_PREFIX;
> adaptor = (ISqueezeAdaptor) _adaptors.getAdaptor(data.getClass());
> return URLEncoder.encode(adaptor.squeeze(this, data),"UTF-8");
> }
> ...
> public Object unsqueeze(String rawString) throws IOException
> {
> ISqueezeAdaptor adaptor = null;
> String string = URLDecoder.decode(rawString, "UTF-8");
> if (string.equals(NULL_PREFIX))
> return null;
> int offset = string.charAt(0) - FIRST_ADAPTOR_OFFSET;
> if (offset >= 0 && offset < _adaptorByPrefix.length)
> adaptor = _adaptorByPrefix[offset];
> // If the adaptor is not otherwise recognized, the it is simply
> // an encoded String (the StringAdaptor may not have added
> // a prefix).
> if (adaptor == null)
> return string;
> // Adaptor should never be null, because we always supply
> // an adaptor for String
> return adaptor.unsqueeze(this, string);
> }
> ...
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org
[jira] Updated: (TAPESTRY-280) DataSqueezer should URLEncode/Decode its string
Posted by "Howard M. Lewis Ship (JIRA)" <ta...@jakarta.apache.org>.
[ http://issues.apache.org/jira/browse/TAPESTRY-280?page=all ]
Howard M. Lewis Ship updated TAPESTRY-280:
------------------------------------------
Description:
I would add a fix in the DataSqueezer: the current implementation allow
Strings like "abc&sp=def" directly in the URL, which creates a second
parameter where only one is expected.
This is very inconvenient when you squeeze callback URLs (I have a
RedirectCallback that squeezes to R{url}). The bug is not obvious (I
first tought the browser was "pretty printing" the URL) as the "?" is
not considered a parameter so, if you have
Login.tap?sp=R/List.tap?sp=1&sp=2, the callback's URL becomes
"/List.tap?sp=1" and you have a second parameter to your Login page...
I think the correct way of encoding parameters is :
...
// TODO For Java 1.3 compatibility, use equivalents from commons-codecs
import java.net.URLEncoder;
import java.net.URLDecoder;
...
public class DataSqueezer {
...
public String squeeze(Object data) throws IOException
{
ISqueezeAdaptor adaptor;
if (data == null)
return NULL_PREFIX;
adaptor = (ISqueezeAdaptor) _adaptors.getAdaptor(data.getClass());
return URLEncoder.encode(adaptor.squeeze(this, data),"UTF-8");
}
...
public Object unsqueeze(String rawString) throws IOException
{
ISqueezeAdaptor adaptor = null;
String string = URLDecoder.decode(rawString, "UTF-8");
if (string.equals(NULL_PREFIX))
return null;
int offset = string.charAt(0) - FIRST_ADAPTOR_OFFSET;
if (offset >= 0 && offset < _adaptorByPrefix.length)
adaptor = _adaptorByPrefix[offset];
// If the adaptor is not otherwise recognized, the it is simply
// an encoded String (the StringAdaptor may not have added
// a prefix).
if (adaptor == null)
return string;
// Adaptor should never be null, because we always supply
// an adaptor for String
return adaptor.unsqueeze(this, string);
}
...
}
was:
I would add a fix in the DataSqueezer: the current implementation allow
Strings like "abc&sp=def" directly in the URL, which creates a second
parameter where only one is expected.
This is very inconvenient when you squeeze callback URLs (I have a
RedirectCallback that squeezes to R{url}). The bug is not obvious (I
first tought the browser was "pretty printing" the URL) as the "?" is
not considered a parameter so, if you have
Login.tap?sp=R/List.tap?sp=1&sp=2, the callback's URL becomes
"/List.tap?sp=1" and you have a second parameter to your Login page...
I think the correct way of encoding parameters is :
...
// TODO For Java 1.3 compatibility, use equivalents from commons-codecs
import java.net.URLEncoder;
import java.net.URLDecoder;
...
public class DataSqueezer {
...
public String squeeze(Object data) throws IOException
{
ISqueezeAdaptor adaptor;
if (data == null)
return NULL_PREFIX;
adaptor = (ISqueezeAdaptor) _adaptors.getAdaptor(data.getClass());
return URLEncoder.encode(adaptor.squeeze(this, data),"UTF-8");
}
...
public Object unsqueeze(String rawString) throws IOException
{
ISqueezeAdaptor adaptor = null;
String string = URLDecoder.decode(rawString, "UTF-8");
if (string.equals(NULL_PREFIX))
return null;
int offset = string.charAt(0) - FIRST_ADAPTOR_OFFSET;
if (offset >= 0 && offset < _adaptorByPrefix.length)
adaptor = _adaptorByPrefix[offset];
// If the adaptor is not otherwise recognized, the it is simply
// an encoded String (the StringAdaptor may not have added
// a prefix).
if (adaptor == null)
return string;
// Adaptor should never be null, because we always supply
// an adaptor for String
return adaptor.unsqueeze(this, string);
}
...
}
Version: (was: 4.0)
Assign To: (was: Howard M. Lewis Ship)
I built a smal lest application to check this out; a URLEncoder is used to encode each query parameter individually as the URL is being constructed, under 4.0 anyway.
I built a test page around this code:
public abstract class Encoding extends BasePage implements IExternalPage
{
public abstract String getInput();
public abstract void setParameter(String parameter);
@InjectObject("engine-service:external")
public abstract IEngineService getExternalService();
public void activateExternalPage(Object[] parameters, IRequestCycle cycle)
{
String parameter = (String) parameters[0];
setParameter(parameter);
}
public ILink doSubmit()
{
String input = getInput();
String pageName = getPageName();
ExternalServiceParameter parameter = new ExternalServiceParameter(pageName, new Object[]
{ input });
return getExternalService().getLink(false, parameter);
}
}
The input is collected by a TextField; we then build a link back to the same page, and use it to set the parameter.
I can enter strings like "heaven&hell" into the text field, the URL is properly encoded as http://localhost:8080/Encoding.external?sp=Sheaven%26sp%3Dhell in the browser address field.
I then modified the test page to render out the link URL onto the page; it rendered correctly, and the proper string (including the ampersand) was passed through correctly.
So this bug simply doesn't affect Tapestry 4.0.
> DataSqueezer should URLEncode/Decode its string
> -----------------------------------------------
>
> Key: TAPESTRY-280
> URL: http://issues.apache.org/jira/browse/TAPESTRY-280
> Project: Tapestry
> Type: Bug
> Components: Framework
> Versions: 3.0.1, 3.0, 3.0.2
> Environment: Java AMD64 1.5.01
> Reporter: Mikaël Cluseau
>
> I would add a fix in the DataSqueezer: the current implementation allow
> Strings like "abc&sp=def" directly in the URL, which creates a second
> parameter where only one is expected.
> This is very inconvenient when you squeeze callback URLs (I have a
> RedirectCallback that squeezes to R{url}). The bug is not obvious (I
> first tought the browser was "pretty printing" the URL) as the "?" is
> not considered a parameter so, if you have
> Login.tap?sp=R/List.tap?sp=1&sp=2, the callback's URL becomes
> "/List.tap?sp=1" and you have a second parameter to your Login page...
> I think the correct way of encoding parameters is :
> ...
> // TODO For Java 1.3 compatibility, use equivalents from commons-codecs
> import java.net.URLEncoder;
> import java.net.URLDecoder;
> ...
> public class DataSqueezer {
> ...
> public String squeeze(Object data) throws IOException
> {
> ISqueezeAdaptor adaptor;
> if (data == null)
> return NULL_PREFIX;
> adaptor = (ISqueezeAdaptor) _adaptors.getAdaptor(data.getClass());
> return URLEncoder.encode(adaptor.squeeze(this, data),"UTF-8");
> }
> ...
> public Object unsqueeze(String rawString) throws IOException
> {
> ISqueezeAdaptor adaptor = null;
> String string = URLDecoder.decode(rawString, "UTF-8");
> if (string.equals(NULL_PREFIX))
> return null;
> int offset = string.charAt(0) - FIRST_ADAPTOR_OFFSET;
> if (offset >= 0 && offset < _adaptorByPrefix.length)
> adaptor = _adaptorByPrefix[offset];
> // If the adaptor is not otherwise recognized, the it is simply
> // an encoded String (the StringAdaptor may not have added
> // a prefix).
> if (adaptor == null)
> return string;
> // Adaptor should never be null, because we always supply
> // an adaptor for String
> return adaptor.unsqueeze(this, string);
> }
> ...
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org
[jira] Assigned: (TAPESTRY-280) DataSqueezer should URLEncode/Decode its string
Posted by "Howard M. Lewis Ship (JIRA)" <ta...@jakarta.apache.org>.
[ http://issues.apache.org/jira/browse/TAPESTRY-280?page=all ]
Howard M. Lewis Ship reassigned TAPESTRY-280:
---------------------------------------------
Assign To: Howard M. Lewis Ship
> DataSqueezer should URLEncode/Decode its string
> -----------------------------------------------
>
> Key: TAPESTRY-280
> URL: http://issues.apache.org/jira/browse/TAPESTRY-280
> Project: Tapestry
> Type: Bug
> Components: Framework
> Versions: 3.0.1, 3.0, 4.0, 3.0.2
> Environment: Java AMD64 1.5.01
> Reporter: Mikaël Cluseau
> Assignee: Howard M. Lewis Ship
>
> I would add a fix in the DataSqueezer: the current implementation allow
> Strings like "abc&sp=def" directly in the URL, which creates a second
> parameter where only one is expected.
> This is very inconvenient when you squeeze callback URLs (I have a
> RedirectCallback that squeezes to R{url}). The bug is not obvious (I
> first tought the browser was "pretty printing" the URL) as the "?" is
> not considered a parameter so, if you have
> Login.tap?sp=R/List.tap?sp=1&sp=2, the callback's URL becomes
> "/List.tap?sp=1" and you have a second parameter to your Login page...
> I think the correct way of encoding parameters is :
> ...
> // TODO For Java 1.3 compatibility, use equivalents from commons-codecs
> import java.net.URLEncoder;
> import java.net.URLDecoder;
> ...
> public class DataSqueezer {
> ...
> public String squeeze(Object data) throws IOException
> {
> ISqueezeAdaptor adaptor;
> if (data == null)
> return NULL_PREFIX;
> adaptor = (ISqueezeAdaptor) _adaptors.getAdaptor(data.getClass());
> return URLEncoder.encode(adaptor.squeeze(this, data),"UTF-8");
> }
> ...
> public Object unsqueeze(String rawString) throws IOException
> {
> ISqueezeAdaptor adaptor = null;
> String string = URLDecoder.decode(rawString, "UTF-8");
> if (string.equals(NULL_PREFIX))
> return null;
> int offset = string.charAt(0) - FIRST_ADAPTOR_OFFSET;
> if (offset >= 0 && offset < _adaptorByPrefix.length)
> adaptor = _adaptorByPrefix[offset];
> // If the adaptor is not otherwise recognized, the it is simply
> // an encoded String (the StringAdaptor may not have added
> // a prefix).
> if (adaptor == null)
> return string;
> // Adaptor should never be null, because we always supply
> // an adaptor for String
> return adaptor.unsqueeze(this, string);
> }
> ...
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org