[
https://issues.apache.org/jira/browse/MYFACES-1841?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Leonardo Uribe updated MYFACES-1841:
------------------------------------
Resolution: Fixed
Fix Version/s: 1.2.7-SNAPSHOT
1.1.7-SNAPSHOT
Status: Resolved (was: Patch Available)
> HtmlResponseWriterImpl.writeURIAttribute does not perform proper URLs
> encoding ( ex: & should be encoded in &)
> ------------------------------------------------------------------------------------------------------------------
>
> Key: MYFACES-1841
> URL: https://issues.apache.org/jira/browse/MYFACES-1841
> Project: MyFaces Core
> Issue Type: Bug
> Components: General, Portlet_Support
> Affects Versions: 1.1.4, 1.1.5, 1.2.0
> Environment: Windows xp sp2->Jboss portal 2.4.2->tomcat 5.5 ->JSF
> portlet
> Reporter: Lorenzo Cerulli
> Assignee: Leonardo Uribe
> Fix For: 1.1.7-SNAPSHOT, 1.2.7-SNAPSHOT
>
> Attachments: MYFACES-1841-1.patch
>
>
> HtmlFormRenderer is the class in charge of rendering the UIForm component and
> all the required attibutes.
> This class is in charge of rendering for example the Form component tinto
> <form id="foo" name="bar"
> action=/HelloWorldJSFPortletWindow?action=1&org.apache.myfaces.portlet.MyFacesGenericPortlet.VIEW_ID=%2FWEB-INF%2Fjsp%2Findex.
> .....> </form>
> During the rendering process the form renderer uses
> HtmlResponseWriterImpl.writeURIAttribute to write the "action" attribute of
> the form component.
> Generally speaking the action attribute should be acquired using
> "context.getApplication().getViewHandler().getActionURL(context, viewid))"
> and the result MUST be encoded using
> "context.getExternalContext().encodeActionURL" before passing the url to the
> "HtmlResponseWriterImpl.writeURIAttribute(URL);" This way the URL will be
> well formed and will be correctly encoded in the action attribute.
> Even if the HtmlFormRendererBase for example correctly implements this
> process the resulting URL is encoded in the action attribute without
> correctly transforming "&" in "&".
> At this point we can argue that this bug could be generated by two different
> sources:
> 1. Not correct URL encding perfomed by javax.faces.context.FacesContext
> during context.getExternalContext().encodeActionURL[this is non related to
> myfaces and probably depend on the PortletResponse object implemented by the
> container JBOSS portal in this case]
> 2. Nor correct URI encoding within
> HtmlResponseWriterImpl.writeURIAttribute(URL) [related to myfaces]
> Analyzing the source code of the latter i noticed that writeURIAttribute(URL)
> internally calls the HTMLEncoder.encode method to perform string encoding if
> the URI starts with the "javascript" prefix otherwise does not perform any
> kind of encoding.
> Probably this is a bug bacause an enforcment of URI encoding rules should be
> provided in any case;
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
