[
https://issues.apache.org/jira/browse/MYFACES-1841?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12581611#action_12581611
]
lcerulli edited comment on MYFACES-1841 at 3/24/08 11:32 AM:
--------------------------------------------------------------------
Just to give some additional information the text below comes form the JSF spec
1.2 maintenance release 2006 specification (and it's the same in the 1.1 spec):
"public void writeAttribute(String name, Object value, String
componentPropertyName) throws IOException;
public void writeURIAttribute(String name, Object value, String
componentPropertyName) throws IOException;
These methods add an attribute name/value pair to an element that was opened
with a
previous call to startElement(), throwing an exception if there is no currently
open
element. The writeAttribute() method causes character encoding to be performed
in
the same manner as that performed by the writeText() methods. The
writeURIAttribute() method assumes that the attribute value is a URI, and
performs
URI encoding (such as % encoding for HTML)" -> Chapter 6-10 [page 210]
The important part is obviously the last sentence
Below you can find the R.I. implementation:
----------------------------------Reference
implementation-------------------------------------------------------
public void writeURIAttribute(String name, Object value, String
componentPropertyName)
throws IOException
{
if(name == null || value == null)
throw new
NullPointerException(Util.getExceptionMessageString("com.sun.faces.NULL_PARAMETERS_ERROR"));
writer.write(" ");
writer.write(name);
writer.write("=\"");
String stringValue = value.toString();
if(stringValue.startsWith("javascript:"))
HtmlUtils.writeAttribute(writer, buffer, stringValue);
else
HtmlUtils.writeURL(writer, stringValue, encoding);------->This IS
NOT implemented BY MYFACES THAT INSTEAD PERFORMS A STANDARD writer.write
writer.write("\"");
}
---------------------------------------------------------Myfaces
Implementation--------------------------------------------------------
public void writeURIAttribute(String name, Object value, String
componentPropertyName)
throws IOException
{
if(name == null)
throw new NullPointerException("attributeName name must not be
null");
if(!_startTagOpen)
throw new IllegalStateException("Must be called before the start
element is closed (attribute '" + name + "')");
String strValue = value.toString();
_writer.write(32);
_writer.write(name);
_writer.write("=\"");
if(strValue.toLowerCase().startsWith("javascript:"))
_writer.write(HTMLEncoder.encode(strValue, false, false,
!"UTF-8".equals(_characterEncoding)));
else
_writer.write(strValue);
_writer.write(34);
}
was (Author: lcerulli):
Just to give some additional information the text below comes form the JSF
spec 1.2 maintenance release 2006 specification:
"public void writeAttribute(String name, Object value, String
componentPropertyName) throws IOException;
public void writeURIAttribute(String name, Object value, String
componentPropertyName) throws IOException;
These methods add an attribute name/value pair to an element that was opened
with a
previous call to startElement(), throwing an exception if there is no currently
open
element. The writeAttribute() method causes character encoding to be performed
in
the same manner as that performed by the writeText() methods. The
writeURIAttribute() method assumes that the attribute value is a URI, and
performs
URI encoding (such as % encoding for HTML)" -> Chapter 6-10 [page 210]
The important part is obviously the last sentence
Below you can find the R.I. implementation:
----------------------------------Reference
implementation-------------------------------------------------------
public void writeURIAttribute(String name, Object value, String
componentPropertyName)
throws IOException
{
if(name == null || value == null)
throw new
NullPointerException(Util.getExceptionMessageString("com.sun.faces.NULL_PARAMETERS_ERROR"));
writer.write(" ");
writer.write(name);
writer.write("=\"");
String stringValue = value.toString();
if(stringValue.startsWith("javascript:"))
HtmlUtils.writeAttribute(writer, buffer, stringValue);
else
HtmlUtils.writeURL(writer, stringValue, encoding);------->This IS
NOT implemented BY MYFACES THAT INSTEAD PERFORMS A STANDARD writer.write
writer.write("\"");
}
---------------------------------------------------------Myfaces
Implementation--------------------------------------------------------
public void writeURIAttribute(String name, Object value, String
componentPropertyName)
throws IOException
{
if(name == null)
throw new NullPointerException("attributeName name must not be
null");
if(!_startTagOpen)
throw new IllegalStateException("Must be called before the start
element is closed (attribute '" + name + "')");
String strValue = value.toString();
_writer.write(32);
_writer.write(name);
_writer.write("=\"");
if(strValue.toLowerCase().startsWith("javascript:"))
_writer.write(HTMLEncoder.encode(strValue, false, false,
!"UTF-8".equals(_characterEncoding)));
else
_writer.write(strValue);
_writer.write(34);
}
> HtmlResponseWriterImpl.writeURIAttribute does not perform proper URLs
> encoding ( ex: & should be encoded in &)
> ------------------------------------------------------------------------------------------------------------------
>
> Key: MYFACES-1841
> URL: https://issues.apache.org/jira/browse/MYFACES-1841
> Project: MyFaces Core
> Issue Type: Bug
> Components: General, Portlet_Support
> Affects Versions: 1.1.4, 1.1.5, 1.2.0
> Environment: Windows xp sp2->Jboss portal 2.4.2->tomcat 5.5 ->JSF
> portlet
> Reporter: Lorenzo Cerulli
>
> HtmlFormRenderer is the class in charge of rendering the UIForm component and
> all the required attibutes.
> This class is in charge of rendering for example the Form component tinto
> <form id="foo" name="bar"
> action=/HelloWorldJSFPortletWindow?action=1&org.apache.myfaces.portlet.MyFacesGenericPortlet.VIEW_ID=%2FWEB-INF%2Fjsp%2Findex.
> .....> </form>
> During the rendering process the form renderer uses
> HtmlResponseWriterImpl.writeURIAttribute to write the "action" attribute of
> the form component.
> Generally speaking the action attribute should be acquired using
> "context.getApplication().getViewHandler().getActionURL(context, viewid))"
> and the result MUST be encoded using
> "context.getExternalContext().encodeActionURL" before passing the url to the
> "HtmlResponseWriterImpl.writeURIAttribute(URL);" This way the URL will be
> well formed and will be correctly encoded in the action attribute.
> Even if the HtmlFormRendererBase for example correctly implements this
> process the resulting URL is encoded in the action attribute without
> correctly transforming "&" in "&".
> At this point we can argue that this bug could be generated by two different
> sources:
> 1. Not correct URL encding perfomed by javax.faces.context.FacesContext
> during context.getExternalContext().encodeActionURL[this is non related to
> myfaces and probably depend on the PortletResponse object implemented by the
> container JBOSS portal in this case]
> 2. Nor correct URI encoding within
> HtmlResponseWriterImpl.writeURIAttribute(URL) [related to myfaces]
> Analyzing the source code of the latter i noticed that writeURIAttribute(URL)
> internally calls the HTMLEncoder.encode method to perform string encoding if
> the URI starts with the "javascript" prefix otherwise does not perform any
> kind of encoding.
> Probably this is a bug bacause an enforcment of URI encoding rules should be
> provided in any case;
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
