Re: [gatein-dev] Resolved NodePath in PortalRequestContext
On 07/30/2013 03:27 PM, Julien Viet wrote:
On Jul 30, 2013, at 8:55 PM, Nick Scavelli <nscavell(a)redhat.com
<mailto:nscavell@redhat.com>> wrote:
>
> On 07/30/2013 12:58 PM, Julien Viet wrote:
>> Hi,
>>
>> I don't know about the functional validity of this change (yet), but
>> technically speaking you should never use java.net.URLDecoder for
>> encoding or decoding strings.
> Not sure what you mean here. I'm not encoding and decoding. I removed
> the line that used EntityEncoder to encode the path in
> PortalRequestHandler. This was added to fix XSS exploit, however it
> caused issues.
>>
>> Why do you need to decode the URL created by NodeURL.toString() ?
> Because it's an encoded value. For example a path of /home/ábá in
> NodeURL would be /home/%C3%A1b%C3%A1.
why not add a toWhateverFormatString() that does the job properly
instead on NodeURL instead of having an URL -> encoded -> decoded ?
I think
you are misunderstanding things here. The resolved node path is
used to create the NodeURL in the code you are referring to. The actual
URL being generated is not a simple string. For example it generates a
URL like /portal/g/:platform:administrators/administration/registry
which is context based.
>>
>> On Jul 30, 2013, at 6:23 PM, Nick Scavelli <nscavell(a)redhat.com
>> <mailto:nscavell@redhat.com>> wrote:
>>
>>> TLDR: eXo.env.server.portalBaseURL and
>>> eXo.env.server.portalURLTemplate have changed to include only the
>>> resolved path.
>>>
>>> I've made a change (http://git.io/ogoWhw) which has only been
>>> applied to master so it can resonate a bit in hopes there are no
>>> issues. I have added a resolvedNodePath field to
>>> PortalRequestContext (even though I think nodePath should be
>>> changed) to represent the resolved path of the portal. Meaning if I
>>> go to URL /portal/classic/home/foo the resolved path is just /home
>>> not /home/foo.
>>>
>>> The reason for this change was that a fix was applied to decode the
>>> nodePath in order to avoid XSS in the URL since we use this value
>>> to create the JavaScript variables eXo.env.server.portalBaseURL and
>>> eXo.env.server.portalURLTemplate. However this caused an issue for
>>> non-ascii node names since the route couldn't be found after
>>> decoding. I think the resolvedNodePath is a better solution however
>>> it does change the behavior of the JS variables I mentioned.
>>>
>>> If anyone sees a potential issue with this solution please discuss
>>> here.
>>>
>>> - Nick
>>> _______________________________________________
>>> gatein-dev mailing list
>>> gatein-dev(a)lists.jboss.org <mailto:gatein-dev@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>>
>
Attachments:
- attachment.html (text/html — 7.0 KB)