Hi Lucas,

I have a remark on this topic that today it is using PortletURL#toString() for writing the URL in HTML. It is clearly specified in the Portlet API spec “the returned URL is not XML escaped”. Thereby It seems to me that this is just an error-prone usage, the PortletURL#write(Writer out, boolean escapeXML) should be used instead.

Did I miss something ?



On 3 February 2014 18:55, Lucas Ponce <lponce@redhat.com> wrote:
Hello,

One of our customer is asking again for w3c validation.

We are studying points where gatein is not w3c compliant.

I think one of most dangerous is about "&" in URLs, according with w3c documentation:

------------------------

Ampersands (&'s) in URLs

Another common error occurs when including a URL which contains an ampersand ("&"):

<!-- This is invalid! --> <a href="foo.cgi?chapter=1&section=2&copy=3&lang=en">...</a>

This example generates an error for "unknown entity section" because the "&" is assumed to begin an entity reference. Browsers often recover safely from this kind of error, but real problems do occur in some cases. In this example, many browsers correctly convert &copy=3 to ©=3, which may cause the link to fail. Since &lang; is the HTML entity for the left-pointing angle bracket, some browsers also convert &lang=en to 〈=en. And one old browser even finds the entity &sect;, converting &section=2 to §ion=2.

To avoid problems with both validators and browsers, always use &amp; in place of & when writing URLs in HTML:

<a href="foo.cgi?chapter=1&amp;section=2&amp;copy=3&amp;lang=en">...</a>

Note that replacing & with &amp; is only done when writing the URL in HTML, where "&" is a special character (along with "<" and ">"). When writing the same URL in a plain text email message or in the location bar of your browser, you would use "&" and not "&amp;". With HTML, the browser translates "&amp;" to "&" so the Web server would only see "&" and not "&amp;" in the query string of the request.

--------------------------


We did some experiments in the past to code "&" per "&amp;" but this has negative effect into other components (i.e. WSRP).

Before to start making PoC about it, I would like to ask if someone also tried a similar approach and we can share our experiences about that.


Thanks,
Lucas



_______________________________________________
gatein-dev mailing list
gatein-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/gatein-dev



--
Trong Tran
(+84) 983841909 | trongtt@gmail.com
Twitter: http://twitter.com/trongtt