Re: [keycloak-dev] html encoded url in form actions - bug or feature?

On 7/18/2018 2:37 AM, Felix Meißner wrote: > Hi all, > > I just discovered that the action url of the login-form seems to get HTML > encoded and I woundered, if thats a bug or a feature. It's a security feature. We take advantage of FreeMarker's "escape by default" feature. As you discovered, you can use ?no_esc to turn this off. I'm kind of interested in why fetch() didn't work. The escaped version should be valid as a URL. > > In > https://github.com/keycloak/keycloak/blob/4.1.0.Final/ themes/src/main/resources/theme/base/login/login.ftl > you can see the following line: > > <form id="kc-form-login" onsubmit="login.disabled = true; return true;" > action="${url.loginAction}" method="post"> > > On my instance, this resolves to something similar to this: > > <form id="kc-form-login" onsubmit="login.disabled = true; return true;" > action=" > https://xx.xx.xx.xx:8443/auth/realms/master/login-actions/ authenticate?session_code=tyvLn2J3QkM4YJhPzjYKnNLSG4ej89 Xabvspm7nmubc&amp;execution=5c933fb0-b637-4462-a603- bf9ffb601220&amp;client_id=security-admin-console&amp;tab_id=2tJInt2M5NE" > method="post"> > > All "&" are encoded as &amp;. This became an issue for me, when I tried to > call the url via JavaScripts fetch method. With the same URL, I got a > sevrer error. When changing the URL to: > > fetch("${url.loginAction?no_esc}", ...) > > it finally worked. > > Shouldn't all form-urls and href-urls not be escacped? What makes me wonder > is, that the same URL just works for regular post requests! For > documentation on escaping you can find more information here: > https://freemarker.apache.org/docs/dgui_quickstart_template. html#dgui_quickstart_template_autoescaping > > Greetings, > Felix > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev