You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Leonardo Uribe (JIRA)" <de...@myfaces.apache.org> on 2009/05/26 06:40:45 UTC
[jira] Commented: (MYFACES-1841)
HtmlResponseWriterImpl.writeURIAttribute does not perform proper URLs
encoding ( ex: & should be encoded in &)
[ https://issues.apache.org/jira/browse/MYFACES-1841?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12712850#action_12712850 ]
Leonardo Uribe commented on MYFACES-1841:
-----------------------------------------
Patch attached with the proposed solution.
According to RFC 3986, an URI has the following structure:
URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ]
The patch follows the RFC 3986 (see comments inside patch) to percent-encode the URI.
It converts caracters from 0x7F to infinitum from ' scheme ":" hier-part ' first to UTF-8 and then to percent encoding, as suggested by:
- RFC 3986 Section 3.2.2
- http://www.w3.org/TR/html40/appendix/notes.html#non-ascii-chars
Then the remaining part ' [ "?" query ] [ "#" fragment ] ' is encoded using the current character encoding set in HtmlResponseWriterImpl, because this part contains data that is decoded by the servlet container (configure this part is servlet container specific ).
If no objections, I'll commit this code soon on both shared branches.
> HtmlResponseWriterImpl.writeURIAttribute does not perform proper URLs encoding ( ex: & should be encoded in &)
> ------------------------------------------------------------------------------------------------------------------
>
> Key: MYFACES-1841
> URL: https://issues.apache.org/jira/browse/MYFACES-1841
> Project: MyFaces Core
> Issue Type: Bug
> Components: General, Portlet_Support
> Affects Versions: 1.1.4, 1.1.5, 1.2.0
> Environment: Windows xp sp2->Jboss portal 2.4.2->tomcat 5.5 ->JSF portlet
> Reporter: Lorenzo Cerulli
> Attachments: MYFACES-1841-1.patch
>
>
> HtmlFormRenderer is the class in charge of rendering the UIForm component and all the required attibutes.
> This class is in charge of rendering for example the Form component tinto <form id="foo" name="bar" action=/HelloWorldJSFPortletWindow?action=1&org.apache.myfaces.portlet.MyFacesGenericPortlet.VIEW_ID=%2FWEB-INF%2Fjsp%2Findex. .....> </form>
> During the rendering process the form renderer uses HtmlResponseWriterImpl.writeURIAttribute to write the "action" attribute of the form component.
> Generally speaking the action attribute should be acquired using "context.getApplication().getViewHandler().getActionURL(context, viewid))" and the result MUST be encoded using "context.getExternalContext().encodeActionURL" before passing the url to the "HtmlResponseWriterImpl.writeURIAttribute(URL);" This way the URL will be well formed and will be correctly encoded in the action attribute.
> Even if the HtmlFormRendererBase for example correctly implements this process the resulting URL is encoded in the action attribute without correctly transforming "&" in "&".
> At this point we can argue that this bug could be generated by two different sources:
> 1. Not correct URL encding perfomed by javax.faces.context.FacesContext during context.getExternalContext().encodeActionURL[this is non related to myfaces and probably depend on the PortletResponse object implemented by the container JBOSS portal in this case]
> 2. Nor correct URI encoding within HtmlResponseWriterImpl.writeURIAttribute(URL) [related to myfaces]
> Analyzing the source code of the latter i noticed that writeURIAttribute(URL) internally calls the HTMLEncoder.encode method to perform string encoding if the URI starts with the "javascript" prefix otherwise does not perform any kind of encoding.
> Probably this is a bug bacause an enforcment of URI encoding rules should be provided in any case;
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.