ICEfaces
  1. ICEfaces
  2. ICE-8415

ice:commandLink with f:param that has a value that contains an apostrophe breaks functionality

          Details

            Description

            A JavaScript error is thrown when an ice:commandLink uses a f:param tag that contains an apostrophe (single quote) is clicked. The apostrphe is not escaped and there for gets added into the JavaScript call which causes an incorrect syntax.

            This looks to have been resolved for the standard JSF components through this JSF JIRA: http://java.net/jira/browse/JAVASERVERFACES-542
            2. Zip Archive
              Case11492Example.zip
              19 kB
              Arran Mccullough
            4. Zip Archive
              Case11492Example2.zip
              19 kB
              Arran Mccullough

              Activity

              Ascending order - Click to sort in descending order
              Hide
              Permalink
              Arran Mccullough added a comment -

              Attached test case that shows issue.

              Steps:

              • Load welcomeICEfaces.iface
              • Click on the "ICEface's Issue" Link, nothing happens and a JS error is thrown in the console.
              Show
              Arran Mccullough added a comment - Attached test case that shows issue. Steps: Load welcomeICEfaces.iface Click on the "ICEface's Issue" Link, nothing happens and a JS error is thrown in the console.
              Hide
              Permalink
              Arran Mccullough added a comment -

              Attached test case that shows this is still and issue in ICEfaces 3.1.0

              Show
              Arran Mccullough added a comment - Attached test case that shows this is still and issue in ICEfaces 3.1.0
              Hide
              Permalink
              Deryk Sinotte added a comment -

              The problem is in the com.icesoft.faces.renderkit.dom_html_basic.CommandLinkRenderer. Part of it's job is to render out the onclick handler. The script for that handler is responsible for setting and then clearing the parameters and looks something like this:

              <a class="iceCmdLnk"
              href="javascript:;"
              id="iceForm:j_idt9"
              onblur="setFocus('');"
              onclick= "var form=formOf(this);

              //Set the values
              form['iceForm:j_idcl'].value='iceForm:j_idt9';
              form['name'].value='ICEfaces's Issue';

              //Submit the form
              iceSubmit(form,this,event);

              //Clear the values
              form['iceForm:j_idcl'].value='';
              form['name'].value='';
              return false;"
              onfocus="setFocus(this.id);">

              The problem is obvious as when an apostrophe is included, it's not properly escaped with a backslash (\') which leads to invalid JavaScript. I don't believe this requires the full escaping that is done via DOMUtils.escapeAnsi() as the contents are simply a valid JavaScript string. Instead, we just need to properly escape the single quote.

              Show
              Deryk Sinotte added a comment - The problem is in the com.icesoft.faces.renderkit.dom_html_basic.CommandLinkRenderer. Part of it's job is to render out the onclick handler. The script for that handler is responsible for setting and then clearing the parameters and looks something like this: <a class="iceCmdLnk" href="javascript:;" id="iceForm:j_idt9" onblur="setFocus('');" onclick= "var form=formOf(this); //Set the values form ['iceForm:j_idcl'] .value='iceForm:j_idt9'; form ['name'] .value='ICEfaces's Issue'; //Submit the form iceSubmit(form,this,event); //Clear the values form ['iceForm:j_idcl'] .value=''; form ['name'] .value=''; return false;" onfocus="setFocus(this.id);"> The problem is obvious as when an apostrophe is included, it's not properly escaped with a backslash (\') which leads to invalid JavaScript. I don't believe this requires the full escaping that is done via DOMUtils.escapeAnsi() as the contents are simply a valid JavaScript string. Instead, we just need to properly escape the single quote.
              Hide
              Permalink
              Deryk Sinotte added a comment -

              I added a function to escape single quotes in the renderer and run each parameter through it. I applied and tested this on both ICEfaces 1.8.x and 3.x and both test cases now work - properly submitting the form.

              Show
              Deryk Sinotte added a comment - I added a function to escape single quotes in the renderer and run each parameter through it. I applied and tested this on both ICEfaces 1.8.x and 3.x and both test cases now work - properly submitting the form.
              Hide
              Permalink
              Stefaan Demurie added a comment - - edited

              problem: this yields a NPE when passing an empty param value!
              protected static String getJavascriptHiddenFieldSetters(
              FacesContext facesContext,
              UICommand uiCommand, Map parameters) {
              StringBuffer buffer;
              buffer = new StringBuffer("var form=formOf(this);form['");
              buffer.append(deriveCommonHiddenFieldName(facesContext, uiCommand));
              buffer.append("'].value='");
              buffer.append(uiCommand.getClientId(facesContext));
              buffer.append("';");
              Iterator parameterKeys = parameters.keySet().iterator();
              while (parameterKeys.hasNext())

              { String nextParamName = (String) parameterKeys.next(); Object nextParamValue = parameters.get(nextParamName); buffer.append("form['"); buffer.append(nextParamName); buffer.append("'].value='"); //ICE-8415: need to escape any single quotes in the value //of the parameter to ensure a valid JavaScript string. buffer.append(escapeQuote(nextParamValue.toString())); buffer.append("';"); }

              return buffer.toString();
              }

              Show
              Stefaan Demurie added a comment - - edited problem: this yields a NPE when passing an empty param value! protected static String getJavascriptHiddenFieldSetters( FacesContext facesContext, UICommand uiCommand, Map parameters) { StringBuffer buffer; buffer = new StringBuffer("var form=formOf(this);form['"); buffer.append(deriveCommonHiddenFieldName(facesContext, uiCommand)); buffer.append("'].value='"); buffer.append(uiCommand.getClientId(facesContext)); buffer.append("';"); Iterator parameterKeys = parameters.keySet().iterator(); while (parameterKeys.hasNext()) { String nextParamName = (String) parameterKeys.next(); Object nextParamValue = parameters.get(nextParamName); buffer.append("form['"); buffer.append(nextParamName); buffer.append("'].value='"); //ICE-8415: need to escape any single quotes in the value //of the parameter to ensure a valid JavaScript string. buffer.append(escapeQuote(nextParamValue.toString())); buffer.append("';"); } return buffer.toString(); }
              Hide
              Permalink
              Deryk Sinotte added a comment - - edited

              Case ICE-8749 has been opened for this issue and a fix checked into the current ICEfaces 3 trunk for future releases.

              Show
              Deryk Sinotte added a comment - - edited Case ICE-8749 has been opened for this issue and a fix checked into the current ICEfaces 3 trunk for future releases.

                People

                • Assignee:
                  Deryk Sinotte
                  Reporter:
                  Arran Mccullough
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: