ICEfaces
  1. ICEfaces
  2. ICE-8415

ice:commandLink with f:param that has a value that contains an apostrophe breaks functionality

          Details

            Description

            A JavaScript error is thrown when an ice:commandLink uses a f:param tag that contains an apostrophe (single quote) is clicked. The apostrphe is not escaped and there for gets added into the JavaScript call which causes an incorrect syntax.

            This looks to have been resolved for the standard JSF components through this JSF JIRA: http://java.net/jira/browse/JAVASERVERFACES-542
            2. Zip Archive
              Case11492Example.zip
              19 kB
              Arran Mccullough
            4. Zip Archive
              Case11492Example2.zip
              19 kB
              Arran Mccullough

              Activity

              Ascending order - Click to sort in descending order
              Arran Mccullough created issue -
              Arran Mccullough made changes -
              Field Original Value New Value
              Salesforce Case [5007000000NHg6V]
              Hide
              Permalink
              Arran Mccullough added a comment -

              Attached test case that shows issue.

              Steps:

              • Load welcomeICEfaces.iface
              • Click on the "ICEface's Issue" Link, nothing happens and a JS error is thrown in the console.
              Show
              Arran Mccullough added a comment - Attached test case that shows issue. Steps: Load welcomeICEfaces.iface Click on the "ICEface's Issue" Link, nothing happens and a JS error is thrown in the console.
              Arran Mccullough made changes -
              Attachment Case11492Example.war [ 14744 ]
              Attachment Case11492Example.zip [ 14745 ]
              Arran Mccullough made changes -
              Assignee Deryk Sinotte [ deryk.sinotte ]
              Hide
              Permalink
              Arran Mccullough added a comment -

              Attached test case that shows this is still and issue in ICEfaces 3.1.0

              Show
              Arran Mccullough added a comment - Attached test case that shows this is still and issue in ICEfaces 3.1.0
              Arran Mccullough made changes -
              Attachment Case11492Example2.war [ 14761 ]
              Attachment Case11492Example2.zip [ 14762 ]
              Hide
              Permalink
              Deryk Sinotte added a comment -

              The problem is in the com.icesoft.faces.renderkit.dom_html_basic.CommandLinkRenderer. Part of it's job is to render out the onclick handler. The script for that handler is responsible for setting and then clearing the parameters and looks something like this:

              <a class="iceCmdLnk"
              href="javascript:;"
              id="iceForm:j_idt9"
              onblur="setFocus('');"
              onclick= "var form=formOf(this);

              //Set the values
              form['iceForm:j_idcl'].value='iceForm:j_idt9';
              form['name'].value='ICEfaces's Issue';

              //Submit the form
              iceSubmit(form,this,event);

              //Clear the values
              form['iceForm:j_idcl'].value='';
              form['name'].value='';
              return false;"
              onfocus="setFocus(this.id);">

              The problem is obvious as when an apostrophe is included, it's not properly escaped with a backslash (\') which leads to invalid JavaScript. I don't believe this requires the full escaping that is done via DOMUtils.escapeAnsi() as the contents are simply a valid JavaScript string. Instead, we just need to properly escape the single quote.

              Show
              Deryk Sinotte added a comment - The problem is in the com.icesoft.faces.renderkit.dom_html_basic.CommandLinkRenderer. Part of it's job is to render out the onclick handler. The script for that handler is responsible for setting and then clearing the parameters and looks something like this: <a class="iceCmdLnk" href="javascript:;" id="iceForm:j_idt9" onblur="setFocus('');" onclick= "var form=formOf(this); //Set the values form ['iceForm:j_idcl'] .value='iceForm:j_idt9'; form ['name'] .value='ICEfaces's Issue'; //Submit the form iceSubmit(form,this,event); //Clear the values form ['iceForm:j_idcl'] .value=''; form ['name'] .value=''; return false;" onfocus="setFocus(this.id);"> The problem is obvious as when an apostrophe is included, it's not properly escaped with a backslash (\') which leads to invalid JavaScript. I don't believe this requires the full escaping that is done via DOMUtils.escapeAnsi() as the contents are simply a valid JavaScript string. Instead, we just need to properly escape the single quote.
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #30465 Fri Aug 10 11:44:38 MDT 2012 deryk.sinotte ICE-8415: escape single quotes in parameter values
              Files Changed
              Commit graph MODIFY /icefaces/trunk/icefaces/push-server/src/org/icefaces/push/server/ProductInfo.java
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/renderkit/dom_html_basic/CommandLinkRenderer.java
              Commit graph MODIFY /icefaces/trunk/icefaces/samples/portlet/location/web/WEB-INF/web.xml
              Commit graph MODIFY /icefaces/trunk/icefaces/samples/portlet/chat/web/WEB-INF/web.xml
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #30466 Fri Aug 10 11:50:18 MDT 2012 deryk.sinotte ICE-8415: revert inadvertent commits of unrelated files
              Files Changed
              Commit graph MODIFY /icefaces/trunk/icefaces/push-server/src/org/icefaces/push/server/ProductInfo.java
              Commit graph MODIFY /icefaces/trunk/icefaces/samples/portlet/location/web/WEB-INF/web.xml
              Commit graph MODIFY /icefaces/trunk/icefaces/samples/portlet/chat/web/WEB-INF/web.xml
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #30467 Fri Aug 10 11:50:33 MDT 2012 deryk.sinotte ICE-8415: escape single quotes in parameter values
              Files Changed
              Commit graph MODIFY /icefaces3/trunk/icefaces/compat/core/src/main/java/com/icesoft/faces/renderkit/dom_html_basic/CommandLinkRenderer.java
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #30468 Fri Aug 10 11:55:52 MDT 2012 deryk.sinotte ICE-8415: escape single quotes in parameter values
              Files Changed
              Commit graph MODIFY /icefaces3/branches/icefaces-3.0.x-maintenance/icefaces/compat/core/src/main/java/com/icesoft/faces/renderkit/dom_html_basic/CommandLinkRenderer.java
              Hide
              Permalink
              Deryk Sinotte added a comment -

              I added a function to escape single quotes in the renderer and run each parameter through it. I applied and tested this on both ICEfaces 1.8.x and 3.x and both test cases now work - properly submitting the form.

              Show
              Deryk Sinotte added a comment - I added a function to escape single quotes in the renderer and run each parameter through it. I applied and tested this on both ICEfaces 1.8.x and 3.x and both test cases now work - properly submitting the form.
              Deryk Sinotte made changes -
              Status Open [ 1 ] Resolved [ 5 ]
              Fix Version/s EE-3.0.0.GA_P01 [ 10327 ]
              Fix Version/s 3.2 [ 10338 ]
              Fix Version/s EE-1.8.2.GA_P05 [ 10331 ]
              Resolution Fixed [ 1 ]
              Hide
              Permalink
              Stefaan Demurie added a comment - - edited

              problem: this yields a NPE when passing an empty param value!
              protected static String getJavascriptHiddenFieldSetters(
              FacesContext facesContext,
              UICommand uiCommand, Map parameters) {
              StringBuffer buffer;
              buffer = new StringBuffer("var form=formOf(this);form['");
              buffer.append(deriveCommonHiddenFieldName(facesContext, uiCommand));
              buffer.append("'].value='");
              buffer.append(uiCommand.getClientId(facesContext));
              buffer.append("';");
              Iterator parameterKeys = parameters.keySet().iterator();
              while (parameterKeys.hasNext())

              { String nextParamName = (String) parameterKeys.next(); Object nextParamValue = parameters.get(nextParamName); buffer.append("form['"); buffer.append(nextParamName); buffer.append("'].value='"); //ICE-8415: need to escape any single quotes in the value //of the parameter to ensure a valid JavaScript string. buffer.append(escapeQuote(nextParamValue.toString())); buffer.append("';"); }

              return buffer.toString();
              }

              Show
              Stefaan Demurie added a comment - - edited problem: this yields a NPE when passing an empty param value! protected static String getJavascriptHiddenFieldSetters( FacesContext facesContext, UICommand uiCommand, Map parameters) { StringBuffer buffer; buffer = new StringBuffer("var form=formOf(this);form['"); buffer.append(deriveCommonHiddenFieldName(facesContext, uiCommand)); buffer.append("'].value='"); buffer.append(uiCommand.getClientId(facesContext)); buffer.append("';"); Iterator parameterKeys = parameters.keySet().iterator(); while (parameterKeys.hasNext()) { String nextParamName = (String) parameterKeys.next(); Object nextParamValue = parameters.get(nextParamName); buffer.append("form['"); buffer.append(nextParamName); buffer.append("'].value='"); //ICE-8415: need to escape any single quotes in the value //of the parameter to ensure a valid JavaScript string. buffer.append(escapeQuote(nextParamValue.toString())); buffer.append("';"); } return buffer.toString(); }
              Hide
              Permalink
              Deryk Sinotte added a comment - - edited

              Case ICE-8749 has been opened for this issue and a fix checked into the current ICEfaces 3 trunk for future releases.

              Show
              Deryk Sinotte added a comment - - edited Case ICE-8749 has been opened for this issue and a fix checked into the current ICEfaces 3 trunk for future releases.
              Ken Fyten made changes -
              Status Resolved [ 5 ] Closed [ 6 ]

                People

                • Assignee:
                  Deryk Sinotte
                  Reporter:
                  Arran Mccullough
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: