[jira] Commented: (CLK-685) Links should be able to restrict parameter binding for Ajax requests

Tue, 08 Jun 2010 04:26:45 -0700 

    [ 
https://issues.apache.org/jira/browse/CLK-685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12876638#action_12876638
 ] 

Bob Schellink commented on CLK-685:
-----------------------------------

Been pondering this one a bit the last couple of days. I'm not sure that strict 
is the best default option for both ajax and non-ajax requests. For example 
taking Ajax out of the equation, it makes sense that *all* parameters rendered 
as a link should be bound to the link. Ajax complicates the matter since it can 
post extra data (not defined on the href) to the server.

A bit radical, but another way to solve this is to *only* bind the VALUE 
parameter. Meaning arbitrary parameters set on the link are rendered, but are 
not bound to the incoming request. Since Context already contains these 
parameters we are actually duplicating these values in the link anyway. In this 
scenario we would deprecate Link.getParameter. So the usage pattern would 
become:

if (link.isClicked()) {
  link.getValue() // Still works
  // link.getParameter("id"); // Wont work anymore

  context.getRequestParameter("id"); // Will work
}


> Links should be able to restrict parameter binding for Ajax requests
> --------------------------------------------------------------------
>
>                 Key: CLK-685
>                 URL: https://issues.apache.org/jira/browse/CLK-685
>             Project: Click
>          Issue Type: Sub-task
>          Components: core
>    Affects Versions: 2.2.0
>            Reporter: Bob Schellink
>            Assignee: Bob Schellink
>             Fix For: 2.3.0-M1
>
>
> AbstractLink binds all incoming request parameters to its own parameter map. 
> This makes the link quite easy to use but has the potential to leak 
> parameters which isn't targeted at the link.
> The problem becomes obvious when using Ajax to invoke a link. Any extra 
> parameters passed for the Ajax request will be added to the link parameter 
> map. We need to introduce a "strict" parameter binding strategy for links so 
> that only those parameters that was defined *before* the processing event 
> should be bound. The "strict" policy can be set to "on" for Ajax and "off" 
> for normal requests.
> See 
> http://click.1134972.n2.nabble.com/AbstractLink-request-parameter-leak-tp5139164p5139164.html
>  for more details.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to