[ https://issues.apache.org/jira/browse/OFBIZ-5847?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-5847. ---------------------------------- Resolution: Fixed Assignee: Nicolas Malin Indeed the issue comes from the ESAPI lib, when we use GET style URL parameters in screens/forms links instead of POST style as Nicolas fixed 3 cases. I made a review, we have 51 target*& occurences OOTB * The <form ... target > links are not concerned (see edit budget item for instance) * Nor the <hyperlink target> links (see systems notes for instance) * Nor <hyperlink target> links (see ListProductStoreFacility, but not in trunk due to OFBIZ-6051) * Nor <on-event-update-area area-target> links (see ListProductStoreFacility EditProductStoreFacility) So it seems only the <link target> links are concerned and moreover hopefully maybe only in menus. We have no longer any of them OOTB. So at least OFBiz is ok . I will close this issue, this can no lnoger appear in new and custom code, because the new ESAPI implemtation now throws a {code} org.ofbiz.base.util.UtilCodec$IntrusionException: Input validation failure {code} in such cases (jus try to revert r1637716 in trunk) Happy end :) > If define the & and combine with "part" that encode to ∂ > ------------------------------------------------------------ > > Key: OFBIZ-5847 > URL: https://issues.apache.org/jira/browse/OFBIZ-5847 > Project: OFBiz > Issue Type: Bug > Components: ALL APPLICATIONS > Affects Versions: Trunk > Reporter: Supachai Chaima-ngua > Assignee: Nicolas Malin > Labels: encode, url > Fix For: 12.04.06, 13.07.02, Trunk > > Attachments: OFBIZ-5847.patch, OFBiz WorkEffort Manager Calendar.png > > > XML widget problems: If define the & and combine with "part" that encode > to ∂ > Example >>> > BEFORE: viewprofile?status=Y&partyId=Demo > AFTER: viewprofile?status=Y∂yId=Demo -- This message was sent by Atlassian JIRA (v6.3.4#6332)