[
https://issues.apache.org/jira/browse/WICKET-1627?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12597249#action_12597249
]
Doug Donohoe commented on WICKET-1627:
--------------------------------------
I'm working on a test to show how the four types of forms behave (all
combinations of Form/Statelessform with GET/POST):
RUNNING: org.apache.wicket.integration.encoding.StatefulGetPage
<form action="" wicket:id="form" id="form1" method="get">
<input type="hidden" name="form1_hf_0" id="form1_hf_0" />
<input type="hidden" name="wicket:interface"
value=":0:form::IFormSubmitListener::" />
RUNNING: org.apache.wicket.integration.encoding.StatefulPostPage
<form action="?wicket:interface=:1:form::IFormSubmitListener::"
wicket:id="form" id="form2" method="post">
<input type="hidden" name="form2_hf_0" id="form2_hf_0" />
RUNNING: org.apache.wicket.integration.encoding.StatelessGetPage
<form action="" wicket:id="form" id="form3" method="get">
<input type="hidden" name="form3_hf_0" id="form3_hf_0" />
<input type="hidden" name="wicket:bookmarkablePage"
value="%3Aorg.apache.wicket.integration.encoding.StatelessGetPage" />
<input type="hidden" name="wicket:interface"
value="%3A2%3Aform%3A%3AIFormSubmitListener%3A%3A" />
RUNNING: org.apache.wicket.integration.encoding.StatelessPostPage
<form
action="?wicket:bookmarkablePage=%3Aorg.apache.wicket.integration.encoding.StatelessPostPage&wicket:interface=%3A3%3Aform%3A%3AIFormSubmitListener%3A%3A"
wicket:id="form" id="form4" method="post">
<input type="hidden" name="form4_hf_0" id="form4_hf_0" />
As you can see, sometimes the wicket:interface value is url-encoded; other
times it is not. In the Stateless Get example, the wicket:interface is
incorrectly URL encoded (it should not be because the browser does a 2nd
URL-encode when submitting which causes BUG 1580). It should be HTML escaped
however.
> AbstractRequestTargetUrlCodingStrategy improper user of URLEncoder.encode
> -------------------------------------------------------------------------
>
> Key: WICKET-1627
> URL: https://issues.apache.org/jira/browse/WICKET-1627
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.3.1, 1.3.2, 1.3.3, 1.4-M1
> Environment: Tomcat or Jetty (probably others)
> Reporter: Doug Donohoe
> Fix For: 1.4-M2
>
> Attachments: 1627and1624.v2.patch
>
>
> The use of URLEncoder.encode is incorrect in this scenario. The URLEncoder
> is meant for encoding query string values - not values that appear in the
> path portion of a URI.
> Because the AbstractRequestTargetUrlCodingStrategy is used by other classes
> to encode values that appear in the path, problems can occur when that path
> has spaces. For example, the parameter "message with spaces
> and+some+pluses" is encoded as follows in a URL:
> http://localhost:8080/bugs/home/message/message+with+spaces+and%2Bsome%2Bpluses/
> However, the resulting request.getServletPath() call returns this:
> /home/message/message+with+spaces+and+some+plusses=bug/
> Note that the + in the path are not turned back into spaces. This is the
> correct behavior and is seen in both Tomcat and Jetty.
> See the RFC (http://www.ietf.org/rfc/rfc2396.txt) for a full description of
> what should or should not be encoded.
> /**
> * Url encodes a string
> *
> * @param string
> * string to be encoded
> * @return encoded string
> */
> protected String urlEncode(String string)
> {
> try
> {
> return URLEncoder.encode(string,
> Application.get().getRequestCycleSettings()
> .getResponseRequestEncoding());
> }
> catch (UnsupportedEncodingException e)
> {
> log.error(e.getMessage(), e);
> return string;
> }
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
