[ https://issues.apache.org/jira/browse/MYFACES-1841?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leonardo Uribe updated MYFACES-1841: ------------------------------------ Resolution: Fixed Fix Version/s: 1.2.7-SNAPSHOT 1.1.7-SNAPSHOT Status: Resolved (was: Patch Available) > HtmlResponseWriterImpl.writeURIAttribute does not perform proper URLs > encoding ( ex: & should be encoded in &) > ------------------------------------------------------------------------------------------------------------------ > > Key: MYFACES-1841 > URL: https://issues.apache.org/jira/browse/MYFACES-1841 > Project: MyFaces Core > Issue Type: Bug > Components: General, Portlet_Support > Affects Versions: 1.1.4, 1.1.5, 1.2.0 > Environment: Windows xp sp2->Jboss portal 2.4.2->tomcat 5.5 ->JSF > portlet > Reporter: Lorenzo Cerulli > Assignee: Leonardo Uribe > Fix For: 1.1.7-SNAPSHOT, 1.2.7-SNAPSHOT > > Attachments: MYFACES-1841-1.patch > > > HtmlFormRenderer is the class in charge of rendering the UIForm component and > all the required attibutes. > This class is in charge of rendering for example the Form component tinto > <form id="foo" name="bar" > action=/HelloWorldJSFPortletWindow?action=1&org.apache.myfaces.portlet.MyFacesGenericPortlet.VIEW_ID=%2FWEB-INF%2Fjsp%2Findex. > .....> </form> > During the rendering process the form renderer uses > HtmlResponseWriterImpl.writeURIAttribute to write the "action" attribute of > the form component. > Generally speaking the action attribute should be acquired using > "context.getApplication().getViewHandler().getActionURL(context, viewid))" > and the result MUST be encoded using > "context.getExternalContext().encodeActionURL" before passing the url to the > "HtmlResponseWriterImpl.writeURIAttribute(URL);" This way the URL will be > well formed and will be correctly encoded in the action attribute. > Even if the HtmlFormRendererBase for example correctly implements this > process the resulting URL is encoded in the action attribute without > correctly transforming "&" in "&". > At this point we can argue that this bug could be generated by two different > sources: > 1. Not correct URL encding perfomed by javax.faces.context.FacesContext > during context.getExternalContext().encodeActionURL[this is non related to > myfaces and probably depend on the PortletResponse object implemented by the > container JBOSS portal in this case] > 2. Nor correct URI encoding within > HtmlResponseWriterImpl.writeURIAttribute(URL) [related to myfaces] > Analyzing the source code of the latter i noticed that writeURIAttribute(URL) > internally calls the HTMLEncoder.encode method to perform string encoding if > the URI starts with the "javascript" prefix otherwise does not perform any > kind of encoding. > Probably this is a bug bacause an enforcment of URI encoding rules should be > provided in any case; -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.