[keycloak-dev] html encoded url in form actions - bug or feature?

Felix Meißner felix.meissner at hanko.io
Thu Jul 19 04:44:28 EDT 2018 

I expected URLs to be URL encoded, not HTML encoded. Nonetheless, I cannot
find any facts on how URLs should be encoded inside HTML, so maybe I am
wrong.
The problem occured, when I used a HTML-encoded URL inside JavaScript.
There, the URL will not be decoded before its sent to the server. When used
in a form however, the browser will decode the URL before sending it.

2018-07-19 1:38 GMT+02:00 Stan Silvert <ssilvert at redhat.com>:

> On 7/18/2018 2:37 AM, Felix Meißner wrote:
> > Hi all,
> >
> > I just discovered that the action url of the login-form seems to get HTML
> > encoded and I woundered, if thats a bug or a feature.
> It's a security feature.  We take advantage of FreeMarker's "escape by
> default" feature.  As you discovered, you can use ?no_esc to turn this off.
>
> I'm kind of interested in why fetch() didn't work.  The escaped version
> should be valid as a URL.
>
> >
> > In
> > https://github.com/keycloak/keycloak/blob/4.1.0.Final/
> themes/src/main/resources/theme/base/login/login.ftl
> > you can see the following line:
> >
> > <form id="kc-form-login" onsubmit="login.disabled = true; return true;"
> > action="${url.loginAction}" method="post">
> >
> > On my instance, this resolves to something similar to this:
> >
> > <form id="kc-form-login" onsubmit="login.disabled = true; return true;"
> > action="
> > https://xx.xx.xx.xx:8443/auth/realms/master/login-actions/
> authenticate?session_code=tyvLn2J3QkM4YJhPzjYKnNLSG4ej89
> Xabvspm7nmubc&amp;execution=5c933fb0-b637-4462-a603-
> bf9ffb601220&amp;client_id=security-admin-console&amp;tab_id=2tJInt2M5NE"
> > method="post">
> >
> > All "&" are encoded as &amp;. This became an issue for me, when I tried
> to
> > call the url via JavaScripts fetch method. With the same URL, I got a
> > sevrer error. When changing the URL to:
> >
> > fetch("${url.loginAction?no_esc}", ...)
> >
> > it finally worked.
> >
> > Shouldn't all form-urls and href-urls not be escacped? What makes me
> wonder
> > is, that the same URL just works for regular post requests! For
> > documentation on escaping you can find more information here:
> > https://freemarker.apache.org/docs/dgui_quickstart_template.
> html#dgui_quickstart_template_autoescaping
> >
> > Greetings,
> > Felix
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 
Ein Produkt der Cap3 GmbH, Ringstr. 19, 24114 Kiel, Deutschland

Registergericht: Amtsgericht Kiel, HRB 13257
Geschäftsführung: Felix 
Magedanz, Nicolas Günther, Bettual Richter, Sören Fenner

More information about the keycloak-dev mailing list