ExternalContext.encodeActionUrl() must not be used for URL parameter values
---------------------------------------------------------------------------
Key: EXTCDI-87
URL: https://issues.apache.org/jira/browse/EXTCDI-87
Project: MyFaces CODI
Issue Type: Bug
Components: JEE-JSF12-Module, JEE-JSF20-Module
Affects Versions: 0.9.0
Reporter: Jakob Korherr
Assignee: Jakob Korherr
Currently there are some places where we're using
ExternalContext.encodeActionUrl(). Sometimes the value is a whole URL - in this
case encodeActionUrl() fits. However sometimes we're using it to encode a URL
parameter value, which is wrong, because this method is designed to encode the
final URL including all parameters and thus does not encode parameter values as
expected.
The right way is to use URLEncoder.encode() for URL parameter values. See
MyFaces' ExternalContext impl for details:
ServletExternalContextImpl.encodeURL().
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
