Antonio Petrelli wrote:
2008/1/14, GF <[EMAIL PROTECTED]>:
I think that there are 2 issues. Both important. One in s:url and the
other in s:a
s:url generates a URL that can contain a malicious query string (it
doesn't encode anything except what is passed with s:param). And this
is not good, mainly because when someone says encode=true, hes expect
to receive a safe URL.
I think that there are two levels of encoding:
1) in s:url, the parameters values must be encoded, to create a valid
(and safe) URL.
2) in s:a, the whole URL must be encoded, simply because it is used
inside an HTML element (<a>) between double quotes. For example, '&'
becomes &
Hi Antonio, as I mentioned in a previous post, it's not so simple as the
href attribute of s:a can legally contain javascript or vbscript.
This is precisely why the href attribute is not escaped/encoded in the
template. It's deliberate.
Template from simple theme:
<a<#rt/>
<#if parameters.id?if_exists != "">
id="${parameters.id?html}"<#rt/>
</#if>
<#if parameters.href?if_exists != "">
href="${parameters.href}"<#rt/>
</#if>
...
Id is escaped, href is not. It's the same case for s:submit and s:div's
href attributes. There's no bug in s:a. s:url can be improved however.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
