[
https://issues.apache.org/jira/browse/MYFACES-1841?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12581611#action_12581611
]
Lorenzo Cerulli commented on MYFACES-1841:
------------------------------------------
Just to give some additional information the text below comes form the JSF spec
1.2 maintenance release 2006 specification:
"public void writeAttribute(String name, Object value, String
componentPropertyName) throws IOException;
public void writeURIAttribute(String name, Object value, String
componentPropertyName) throws IOException;
These methods add an attribute name/value pair to an element that was opened
with a
previous call to startElement(), throwing an exception if there is no currently
open
element. The writeAttribute() method causes character encoding to be performed
in
the same manner as that performed by the writeText() methods. The
writeURIAttribute() method assumes that the attribute value is a URI, and
performs
URI encoding (such as % encoding for HTML)" -> Chapter 6-10 [page 210]
The important part is obviously the last sentence
> HtmlResponseWriterImpl.writeURIAttribute does not perform proper URLs
> encoding ( ex: & should be encoded in &)
> ------------------------------------------------------------------------------------------------------------------
>
> Key: MYFACES-1841
> URL: https://issues.apache.org/jira/browse/MYFACES-1841
> Project: MyFaces Core
> Issue Type: Bug
> Components: General, Portlet_Support
> Affects Versions: 1.1.4, 1.1.5, 1.2.0
> Environment: Windows xp sp2->Jboss portal 2.4.2->tomcat 5.5 ->JSF
> portlet
> Reporter: Lorenzo Cerulli
>
> HtmlFormRenderer is the class in charge of rendering the UIForm component and
> all the required attibutes.
> This class is in charge of rendering for example the Form component tinto
> <form id="foo" name="bar"
> action=/HelloWorldJSFPortletWindow?action=1&org.apache.myfaces.portlet.MyFacesGenericPortlet.VIEW_ID=%2FWEB-INF%2Fjsp%2Findex.
> .....> </form>
> During the rendering process the form renderer uses
> HtmlResponseWriterImpl.writeURIAttribute to write the "action" attribute of
> the form component.
> Generally speaking the action attribute should be acquired using
> "context.getApplication().getViewHandler().getActionURL(context, viewid))"
> and the result MUST be encoded using
> "context.getExternalContext().encodeActionURL" before passing the url to the
> "HtmlResponseWriterImpl.writeURIAttribute(URL);" This way the URL will be
> well formed and will be correctly encoded in the action attribute.
> Even if the HtmlFormRendererBase for example correctly implements this
> process the resulting URL is encoded in the action attribute without
> correctly transforming "&" in "&".
> At this point we can argue that this bug could be generated by two different
> sources:
> 1. Not correct URL encding perfomed by javax.faces.context.FacesContext
> during context.getExternalContext().encodeActionURL[this is non related to
> myfaces and probably depend on the PortletResponse object implemented by the
> container JBOSS portal in this case]
> 2. Nor correct URI encoding within
> HtmlResponseWriterImpl.writeURIAttribute(URL) [related to myfaces]
> Analyzing the source code of the latter i noticed that writeURIAttribute(URL)
> internally calls the HTMLEncoder.encode method to perform string encoding if
> the URI starts with the "javascript" prefix otherwise does not perform any
> kind of encoding.
> Probably this is a bug bacause an enforcment of URI encoding rules should be
> provided in any case;
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
