struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brett Porter (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (WW-3688) JavaScript URL validator in the FreeMarker template fails many valid URLs
Date Mon, 03 Oct 2011 01:20:33 GMT

     [ https://issues.apache.org/jira/browse/WW-3688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Brett Porter updated WW-3688:
-----------------------------

    Attachment: WW-3688.diff
    
> JavaScript URL validator in the FreeMarker template fails many valid URLs
> -------------------------------------------------------------------------
>
>                 Key: WW-3688
>                 URL: https://issues.apache.org/jira/browse/WW-3688
>             Project: Struts 2
>          Issue Type: Bug
>            Reporter: Brett Porter
>         Attachments: WW-3688.diff
>
>
> As far as I can tell, it will not allow the following in the path/query of an URL:
> "&", ";", "=" (query string)
> "+", "%" (encoded characters)
> "." (extensions)
> There are several others.
> In addition, particular hosts are not valid due to a lack of country code:
> - localhost
> - http://xn--rsum-bpad.example.org (from IRIs)
> - 10.1.1.1
> My understanding of the URI specification (http://tools.ietf.org/html/rfc3986) is that
the following delimiters are valid unencoded: {{:/@!$&'()*+,;=}}, and the following characters
are also allowed: {{.-_~}}, as well as pct-encoded {{%xx}}
> I've attached a patch to allow the extra characters, and to use those definitions for
the userinfo and host as allowed in the spec. I've also broken out path, query and fragment
explicitly.
> There are still several other valid URIs that this won't allow (e.g. file:///..., IPv6
addresses), and there's a chance that the server-side validation (using java.net.URL) will
differ to the client side - so it may be good to allow URL validation to be deferred to the
server as an option as well.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message