[jira] [Commented] (WW-3688) JavaScript URL validator in the FreeMarker template fails many valid URLs

Mon, 03 Oct 2011 01:57:00 -0700 

    [ 
https://issues.apache.org/jira/browse/WW-3688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13119209#comment-13119209
 ] 

Hudson commented on WW-3688:
----------------------------

Integrated in Struts2 #358 (See [https://builds.apache.org/job/Struts2/358/])
    WW-3688 JavaScript URL validator in the FreeMarker template fails many 
valid URLs

mcucchiara : 
Files : 
* 
/struts/struts2/trunk/core/src/main/resources/template/xhtml/form-close-validate.ftl

                
> JavaScript URL validator in the FreeMarker template fails many valid URLs
> -------------------------------------------------------------------------
>
>                 Key: WW-3688
>                 URL: https://issues.apache.org/jira/browse/WW-3688
>             Project: Struts 2
>          Issue Type: Bug
>            Reporter: Brett Porter
>            Assignee: Maurizio Cucchiara
>             Fix For: 2.3
>
>         Attachments: WW-3688.diff
>
>
> As far as I can tell, it will not allow the following in the path/query of an 
> URL:
> "&", ";", "=" (query string)
> "+", "%" (encoded characters)
> "." (extensions)
> There are several others.
> In addition, particular hosts are not valid due to a lack of country code:
> - localhost
> - http://xn--rsum-bpad.example.org (from IRIs)
> - 10.1.1.1
> My understanding of the URI specification 
> (http://tools.ietf.org/html/rfc3986) is that the following delimiters are 
> valid unencoded: {{:/@!$&'()*+,;=}}, and the following characters are also 
> allowed: {{.-_~}}, as well as pct-encoded {{%xx}}
> I've attached a patch to allow the extra characters, and to use those 
> definitions for the userinfo and host as allowed in the spec. I've also 
> broken out path, query and fragment explicitly.
> There are still several other valid URIs that this won't allow (e.g. 
> file:///..., IPv6 addresses), and there's a chance that the server-side 
> validation (using java.net.URL) will differ to the client side - so it may be 
> good to allow URL validation to be deferred to the server as an option as 
> well.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to