You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Brett Porter (Created) (JIRA)" <ji...@apache.org> on 2011/10/03 03:18:34 UTC
[jira] [Created] (WW-3688) JavaScript URL validator in the
FreeMarker template fails many valid URLs
JavaScript URL validator in the FreeMarker template fails many valid URLs
-------------------------------------------------------------------------
Key: WW-3688
URL: https://issues.apache.org/jira/browse/WW-3688
Project: Struts 2
Issue Type: Bug
Reporter: Brett Porter
As far as I can tell, it will not allow the following in the path/query of an URL:
"&", ";", "=" (query string)
"+", "%" (encoded characters)
"." (extensions)
There are several others.
In addition, particular hosts are not valid due to a lack of country code:
- localhost
- http://xn--rsum-bpad.example.org (from IRIs)
- 10.1.1.1
My understanding of the URI specification (http://tools.ietf.org/html/rfc3986) is that the following delimiters are valid unencoded: {{:/@!$&'()*+,;=}}, and the following characters are also allowed: {{.-_~}}, as well as pct-encoded {{%xx}}
I've attached a patch to allow the extra characters, and to use those definitions for the userinfo and host as allowed in the spec. I've also broken out path, query and fragment explicitly.
There are still several other valid URIs that this won't allow (e.g. file:///..., IPv6 addresses), and there's a chance that the server-side validation (using java.net.URL) will differ to the client side - so it may be good to allow URL validation to be deferred to the server as an option as well.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-3688) JavaScript URL validator in the
FreeMarker template fails many valid URLs
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13119209#comment-13119209 ]
Hudson commented on WW-3688:
----------------------------
Integrated in Struts2 #358 (See [https://builds.apache.org/job/Struts2/358/])
WW-3688 JavaScript URL validator in the FreeMarker template fails many valid URLs
mcucchiara :
Files :
* /struts/struts2/trunk/core/src/main/resources/template/xhtml/form-close-validate.ftl
> JavaScript URL validator in the FreeMarker template fails many valid URLs
> -------------------------------------------------------------------------
>
> Key: WW-3688
> URL: https://issues.apache.org/jira/browse/WW-3688
> Project: Struts 2
> Issue Type: Bug
> Reporter: Brett Porter
> Assignee: Maurizio Cucchiara
> Fix For: 2.3
>
> Attachments: WW-3688.diff
>
>
> As far as I can tell, it will not allow the following in the path/query of an URL:
> "&", ";", "=" (query string)
> "+", "%" (encoded characters)
> "." (extensions)
> There are several others.
> In addition, particular hosts are not valid due to a lack of country code:
> - localhost
> - http://xn--rsum-bpad.example.org (from IRIs)
> - 10.1.1.1
> My understanding of the URI specification (http://tools.ietf.org/html/rfc3986) is that the following delimiters are valid unencoded: {{:/@!$&'()*+,;=}}, and the following characters are also allowed: {{.-_~}}, as well as pct-encoded {{%xx}}
> I've attached a patch to allow the extra characters, and to use those definitions for the userinfo and host as allowed in the spec. I've also broken out path, query and fragment explicitly.
> There are still several other valid URIs that this won't allow (e.g. file:///..., IPv6 addresses), and there's a chance that the server-side validation (using java.net.URL) will differ to the client side - so it may be good to allow URL validation to be deferred to the server as an option as well.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-3688) JavaScript URL validator in the
FreeMarker template fails many valid URLs
Posted by "Brett Porter (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter updated WW-3688:
-----------------------------
Attachment: WW-3688.diff
> JavaScript URL validator in the FreeMarker template fails many valid URLs
> -------------------------------------------------------------------------
>
> Key: WW-3688
> URL: https://issues.apache.org/jira/browse/WW-3688
> Project: Struts 2
> Issue Type: Bug
> Reporter: Brett Porter
> Attachments: WW-3688.diff
>
>
> As far as I can tell, it will not allow the following in the path/query of an URL:
> "&", ";", "=" (query string)
> "+", "%" (encoded characters)
> "." (extensions)
> There are several others.
> In addition, particular hosts are not valid due to a lack of country code:
> - localhost
> - http://xn--rsum-bpad.example.org (from IRIs)
> - 10.1.1.1
> My understanding of the URI specification (http://tools.ietf.org/html/rfc3986) is that the following delimiters are valid unencoded: {{:/@!$&'()*+,;=}}, and the following characters are also allowed: {{.-_~}}, as well as pct-encoded {{%xx}}
> I've attached a patch to allow the extra characters, and to use those definitions for the userinfo and host as allowed in the spec. I've also broken out path, query and fragment explicitly.
> There are still several other valid URIs that this won't allow (e.g. file:///..., IPv6 addresses), and there's a chance that the server-side validation (using java.net.URL) will differ to the client side - so it may be good to allow URL validation to be deferred to the server as an option as well.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (WW-3688) JavaScript URL validator in the
FreeMarker template fails many valid URLs
Posted by "Maurizio Cucchiara (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maurizio Cucchiara resolved WW-3688.
------------------------------------
Resolution: Fixed
Fix Version/s: 2.3
Assignee: Maurizio Cucchiara
Applied.
Thank you, Brett!
> JavaScript URL validator in the FreeMarker template fails many valid URLs
> -------------------------------------------------------------------------
>
> Key: WW-3688
> URL: https://issues.apache.org/jira/browse/WW-3688
> Project: Struts 2
> Issue Type: Bug
> Reporter: Brett Porter
> Assignee: Maurizio Cucchiara
> Fix For: 2.3
>
> Attachments: WW-3688.diff
>
>
> As far as I can tell, it will not allow the following in the path/query of an URL:
> "&", ";", "=" (query string)
> "+", "%" (encoded characters)
> "." (extensions)
> There are several others.
> In addition, particular hosts are not valid due to a lack of country code:
> - localhost
> - http://xn--rsum-bpad.example.org (from IRIs)
> - 10.1.1.1
> My understanding of the URI specification (http://tools.ietf.org/html/rfc3986) is that the following delimiters are valid unencoded: {{:/@!$&'()*+,;=}}, and the following characters are also allowed: {{.-_~}}, as well as pct-encoded {{%xx}}
> I've attached a patch to allow the extra characters, and to use those definitions for the userinfo and host as allowed in the spec. I've also broken out path, query and fragment explicitly.
> There are still several other valid URIs that this won't allow (e.g. file:///..., IPv6 addresses), and there's a chance that the server-side validation (using java.net.URL) will differ to the client side - so it may be good to allow URL validation to be deferred to the server as an option as well.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira