[keycloak-dev] html encoded url in form actions - bug or feature?
Felix Meißner
felix.meissner at hanko.io
Wed Jul 18 02:37:44 EDT 2018
Hi all,
I just discovered that the action url of the login-form seems to get HTML
encoded and I woundered, if thats a bug or a feature.
In
https://github.com/keycloak/keycloak/blob/4.1.0.Final/themes/src/main/resources/theme/base/login/login.ftl
you can see the following line:
<form id="kc-form-login" onsubmit="login.disabled = true; return true;"
action="${url.loginAction}" method="post">
On my instance, this resolves to something similar to this:
<form id="kc-form-login" onsubmit="login.disabled = true; return true;"
action="
https://xx.xx.xx.xx:8443/auth/realms/master/login-actions/authenticate?session_code=tyvLn2J3QkM4YJhPzjYKnNLSG4ej89Xabvspm7nmubc&execution=5c933fb0-b637-4462-a603-bf9ffb601220&client_id=security-admin-console&tab_id=2tJInt2M5NE"
method="post">
All "&" are encoded as &. This became an issue for me, when I tried to
call the url via JavaScripts fetch method. With the same URL, I got a
sevrer error. When changing the URL to:
fetch("${url.loginAction?no_esc}", ...)
it finally worked.
Shouldn't all form-urls and href-urls not be escacped? What makes me wonder
is, that the same URL just works for regular post requests! For
documentation on escaping you can find more information here:
https://freemarker.apache.org/docs/dgui_quickstart_template.html#dgui_quickstart_template_autoescaping
Greetings,
Felix
--
Ein Produkt der Cap3 GmbH, Ringstr. 19, 24114 Kiel, Deutschland
Registergericht: Amtsgericht Kiel, HRB 13257
Geschäftsführung: Felix
Magedanz, Nicolas Günther, Bettual Richter, Sören Fenner
More information about the keycloak-dev
mailing list