You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Jakob Korherr (JIRA)" <de...@myfaces.apache.org> on 2010/11/27 10:06:13 UTC

[jira] Created: (EXTCDI-87) ExternalContext.encodeActionUrl() must not be used for URL parameter values

ExternalContext.encodeActionUrl() must not be used for URL parameter values
---------------------------------------------------------------------------

                 Key: EXTCDI-87
                 URL: https://issues.apache.org/jira/browse/EXTCDI-87
             Project: MyFaces CODI
          Issue Type: Bug
          Components: JEE-JSF12-Module, JEE-JSF20-Module
    Affects Versions: 0.9.0
            Reporter: Jakob Korherr
            Assignee: Jakob Korherr


Currently there are some places where we're using ExternalContext.encodeActionUrl(). Sometimes the value is a whole URL - in this case encodeActionUrl() fits. However sometimes we're using it to encode a URL parameter value, which is wrong, because this method is designed to encode the final URL including all parameters and thus does not encode parameter values as expected.

The right way is to use URLEncoder.encode() for URL parameter values. See MyFaces' ExternalContext impl for details: ServletExternalContextImpl.encodeURL().

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (EXTCDI-87) ExternalContext.encodeActionUrl() must not be used for URL parameter values

Posted by "Jakob Korherr (JIRA)" <de...@myfaces.apache.org>.

     [ https://issues.apache.org/jira/browse/EXTCDI-87?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jakob Korherr resolved EXTCDI-87.
---------------------------------

       Resolution: Fixed
    Fix Version/s: 0.9.1

> ExternalContext.encodeActionUrl() must not be used for URL parameter values
> ---------------------------------------------------------------------------
>
>                 Key: EXTCDI-87
>                 URL: https://issues.apache.org/jira/browse/EXTCDI-87
>             Project: MyFaces CODI
>          Issue Type: Bug
>          Components: JEE-JSF12-Module, JEE-JSF20-Module
>    Affects Versions: 0.9.0
>            Reporter: Jakob Korherr
>            Assignee: Jakob Korherr
>             Fix For: 0.9.1
>
>
> Currently there are some places where we're using ExternalContext.encodeActionUrl(). Sometimes the value is a whole URL - in this case encodeActionUrl() fits. However sometimes we're using it to encode a URL parameter value, which is wrong, because this method is designed to encode the final URL including all parameters and thus does not encode parameter values as expected.
> The right way is to use URLEncoder.encode() for URL parameter values. See MyFaces' ExternalContext impl for details: ServletExternalContextImpl.encodeURL().

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.