Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Minor
-
Resolution: Invalid
-
Affects Version/s: 1.7
-
Fix Version/s: None
-
Component/s: ICE-Components
-
Labels:None
-
Environment:Any
-
Support Case References:
Description
The current behavior of components such as outputLink, commandButton, etc. is to render single quotes used in any attribute as ' and double quotes as " To prevent cross site scripting, only outputText has an escape attribute.
This improvement request is to add a lesser escape attribute to commandButton, commandLink, outputLink, etc.
Basically this "soft escape" attribute would (if set to false) not escape single and double quotes. An example use case where this is needed is:
<ice:outputLink value="http://www.google.com" onclick="javascript: doSomething('important', '40');">......
In this case the onclick will render with ' for the single quotes, which will not work properly with the javascript method being called. If a softescape="false" (or similar) attribute was allowed, this situation could be solved.
Note that the XML attribute syntax allows the following:
AttValue ::= '"' ([^<&"] | Reference)* '"' | "'" ([^<&'] | Reference)* "'"
So a softescape attribute would only need to ignore the escaping of a few characters, while still maintaining security against cross site scripting.
This improvement request is to add a lesser escape attribute to commandButton, commandLink, outputLink, etc.
Basically this "soft escape" attribute would (if set to false) not escape single and double quotes. An example use case where this is needed is:
<ice:outputLink value="http://www.google.com" onclick="javascript: doSomething('important', '40');">......
In this case the onclick will render with ' for the single quotes, which will not work properly with the javascript method being called. If a softescape="false" (or similar) attribute was allowed, this situation could be solved.
Note that the XML attribute syntax allows the following:
AttValue ::= '"' ([^<&"] | Reference)* '"' | "'" ([^<&'] | Reference)* "'"
So a softescape attribute would only need to ignore the escaping of a few characters, while still maintaining security against cross site scripting.
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
Marking as Closed / Invalid as part of legacy ICEfaces ICE / Compat component JIRA cleanup.
Note: This issue may be resolved in a newer ICEfaces release, available here: http://www.icesoft.org/java/downloads/icefaces-downloads.jsf
If the issue persists with the current ICEfaces release, please create a new JIRA for it.
Show
Ken Fyten
added a comment - Marking as Closed / Invalid as part of legacy ICEfaces ICE / Compat component JIRA cleanup.
Note: This issue may be resolved in a newer ICEfaces release, available here: http://www.icesoft.org/java/downloads/icefaces-downloads.jsf
If the issue persists with the current ICEfaces release, please create a new JIRA for it.
We should see how stock JSF does quote and double quote escaping on attribute values, to determine if we should be enabling a special mode, or just bring our escaping algorithm in line with theirs.