[jira] [Commented] (OFBIZ-2628) No Url encoding for get parameters

[Sascha Rodekamp (Commented) (JIRA)]

    [ 
https://issues.apache.org/jira/browse/OFBIZ-2628?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13246135#comment-13246135
 ] 

Sascha Rodekamp commented on OFBIZ-2628:
----------------------------------------

Hi Markus, hi Jacques

i got also a problem with german umlauts when loading a category with the name 
"Bäume". The 'ä' is not encoded correctly. 

But the issue OFBIZ-2837 has another problem. I tested this with the 
keywordsearchbox in the catalog screens. 
The Reqeust Handler calls the render process which calls a method 
"UtilHttp.getParameterMap", this method extracts the parameters from the 
request object. At the end of this all parameter values are canonicalized with 
the defaultWebEncoder. The result is that the "02S%000" search string becomes 
"02S 0". We do this encoding for security reasons, i'm wondering what we can do 
here to provide correct search strings and don't open a security hole?
Any suggestions?

Have a good day,
Sascha


 
                
> No Url encoding for get parameters
> ----------------------------------
>
>                 Key: OFBIZ-2628
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2628
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Release Branch 4.0, Release Branch 09.04, SVN trunk
>         Environment: All
>            Reporter: Patrick Antivackis
>            Assignee: Sascha Rodekamp
>            Priority: Critical
>             Fix For: Release Branch 10.04, Release Branch 11.04, SVN trunk
>
>         Attachments: OFBIZ-2628-Add-URL-encoding-to-RequestHandler.patch, 
> OFBIZ-2628-Add-URL-encoding-to-RequestHandler.patch
>
>   Original Estimate: 4h
>  Remaining Estimate: 4h
>
> Let's say I want to create a new category which ID is  DVD+R
> Creation is ok through the admin interface, but whenever i want to access 
> this category, the get parameter productCategoryId=.... of the url is wrong 
> as it's not url encoded, so we have :
> https://localhost:8443/catalog/control/EditCategory?productCategoryId=DVD+R
>  instead of
> https://localhost:8443/catalog/control/EditCategory?productCategoryId=DVD%2BR
> Both <@ofbizUrl> tag and menu widgets are not encoding get parameters.
> Way to correct :
> framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java modify the 
> makeLink function
> framework/widget/src/org/ofbiz/widget/WidgetWorker.java : function 
> buildhyperlinkUrl need to use defaultWebEncoder.encodeForURL instead of 
> simpleEncoder
> Beofre i do the fix, can a core developper let me know about possible side 
> effects

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira