ICEfaces
  1. ICEfaces
  2. ICE-8415

ice:commandLink with f:param that has a value that contains an apostrophe breaks functionality

    Details

      Description

      A JavaScript error is thrown when an ice:commandLink uses a f:param tag that contains an apostrophe (single quote) is clicked. The apostrphe is not escaped and there for gets added into the JavaScript call which causes an incorrect syntax.

      This looks to have been resolved for the standard JSF components through this JSF JIRA: http://java.net/jira/browse/JAVASERVERFACES-542
      1. Case11492Example.zip
        19 kB
        Arran Mccullough
      2. Case11492Example2.zip
        19 kB
        Arran Mccullough

        Activity

        Hide
        Arran Mccullough added a comment -

        Attached test case that shows issue.

        Steps:

        • Load welcomeICEfaces.iface
        • Click on the "ICEface's Issue" Link, nothing happens and a JS error is thrown in the console.
        Show
        Arran Mccullough added a comment - Attached test case that shows issue. Steps: Load welcomeICEfaces.iface Click on the "ICEface's Issue" Link, nothing happens and a JS error is thrown in the console.
        Hide
        Arran Mccullough added a comment -

        Attached test case that shows this is still and issue in ICEfaces 3.1.0

        Show
        Arran Mccullough added a comment - Attached test case that shows this is still and issue in ICEfaces 3.1.0
        Hide
        Deryk Sinotte added a comment -

        The problem is in the com.icesoft.faces.renderkit.dom_html_basic.CommandLinkRenderer. Part of it's job is to render out the onclick handler. The script for that handler is responsible for setting and then clearing the parameters and looks something like this:

        <a class="iceCmdLnk"
        href="javascript:;"
        id="iceForm:j_idt9"
        onblur="setFocus('');"
        onclick= "var form=formOf(this);

        //Set the values
        form['iceForm:j_idcl'].value='iceForm:j_idt9';
        form['name'].value='ICEfaces's Issue';

        //Submit the form
        iceSubmit(form,this,event);

        //Clear the values
        form['iceForm:j_idcl'].value='';
        form['name'].value='';
        return false;"
        onfocus="setFocus(this.id);">

        The problem is obvious as when an apostrophe is included, it's not properly escaped with a backslash (\') which leads to invalid JavaScript. I don't believe this requires the full escaping that is done via DOMUtils.escapeAnsi() as the contents are simply a valid JavaScript string. Instead, we just need to properly escape the single quote.

        Show
        Deryk Sinotte added a comment - The problem is in the com.icesoft.faces.renderkit.dom_html_basic.CommandLinkRenderer. Part of it's job is to render out the onclick handler. The script for that handler is responsible for setting and then clearing the parameters and looks something like this: <a class="iceCmdLnk" href="javascript:;" id="iceForm:j_idt9" onblur="setFocus('');" onclick= "var form=formOf(this); //Set the values form ['iceForm:j_idcl'] .value='iceForm:j_idt9'; form ['name'] .value='ICEfaces's Issue'; //Submit the form iceSubmit(form,this,event); //Clear the values form ['iceForm:j_idcl'] .value=''; form ['name'] .value=''; return false;" onfocus="setFocus(this.id);"> The problem is obvious as when an apostrophe is included, it's not properly escaped with a backslash (\') which leads to invalid JavaScript. I don't believe this requires the full escaping that is done via DOMUtils.escapeAnsi() as the contents are simply a valid JavaScript string. Instead, we just need to properly escape the single quote.
        Hide
        Deryk Sinotte added a comment -

        I added a function to escape single quotes in the renderer and run each parameter through it. I applied and tested this on both ICEfaces 1.8.x and 3.x and both test cases now work - properly submitting the form.

        Show
        Deryk Sinotte added a comment - I added a function to escape single quotes in the renderer and run each parameter through it. I applied and tested this on both ICEfaces 1.8.x and 3.x and both test cases now work - properly submitting the form.
        Hide
        Stefaan Demurie added a comment - - edited

        problem: this yields a NPE when passing an empty param value!
        protected static String getJavascriptHiddenFieldSetters(
        FacesContext facesContext,
        UICommand uiCommand, Map parameters) {
        StringBuffer buffer;
        buffer = new StringBuffer("var form=formOf(this);form['");
        buffer.append(deriveCommonHiddenFieldName(facesContext, uiCommand));
        buffer.append("'].value='");
        buffer.append(uiCommand.getClientId(facesContext));
        buffer.append("';");
        Iterator parameterKeys = parameters.keySet().iterator();
        while (parameterKeys.hasNext())

        { String nextParamName = (String) parameterKeys.next(); Object nextParamValue = parameters.get(nextParamName); buffer.append("form['"); buffer.append(nextParamName); buffer.append("'].value='"); //ICE-8415: need to escape any single quotes in the value //of the parameter to ensure a valid JavaScript string. buffer.append(escapeQuote(nextParamValue.toString())); buffer.append("';"); }

        return buffer.toString();
        }

        Show
        Stefaan Demurie added a comment - - edited problem: this yields a NPE when passing an empty param value! protected static String getJavascriptHiddenFieldSetters( FacesContext facesContext, UICommand uiCommand, Map parameters) { StringBuffer buffer; buffer = new StringBuffer("var form=formOf(this);form['"); buffer.append(deriveCommonHiddenFieldName(facesContext, uiCommand)); buffer.append("'].value='"); buffer.append(uiCommand.getClientId(facesContext)); buffer.append("';"); Iterator parameterKeys = parameters.keySet().iterator(); while (parameterKeys.hasNext()) { String nextParamName = (String) parameterKeys.next(); Object nextParamValue = parameters.get(nextParamName); buffer.append("form['"); buffer.append(nextParamName); buffer.append("'].value='"); //ICE-8415: need to escape any single quotes in the value //of the parameter to ensure a valid JavaScript string. buffer.append(escapeQuote(nextParamValue.toString())); buffer.append("';"); } return buffer.toString(); }
        Hide
        Deryk Sinotte added a comment - - edited

        Case ICE-8749 has been opened for this issue and a fix checked into the current ICEfaces 3 trunk for future releases.

        Show
        Deryk Sinotte added a comment - - edited Case ICE-8749 has been opened for this issue and a fix checked into the current ICEfaces 3 trunk for future releases.

          People

          • Assignee:
            Deryk Sinotte
            Reporter:
            Arran Mccullough
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: