Re: [keycloak-dev] html encoded url in form actions - bug or feature?

I expected URLs to be URL encoded, not HTML encoded. Nonetheless, I cannot find any facts on how URLs should be encoded inside HTML, so maybe I am wrong. The problem occured, when I used a HTML-encoded URL inside JavaScript. There, the URL will not be decoded before its sent to the server. When used in a form however, the browser will decode the URL before sending it. 2018-07-19 1:38 GMT+02:00 Stan Silvert <ssilvert(a)redhat.com&gt;: > On 7/18/2018 2:37 AM, Felix Meißner wrote: > > Hi all, > > > > I just discovered that the action url of the login-form seems to get HTML > > encoded and I woundered, if thats a bug or a feature. > It's a security feature. We take advantage of FreeMarker's "escape by > default" feature. As you discovered, you can use ?no_esc to turn this off. > > I'm kind of interested in why fetch() didn't work. The escaped version > should be valid as a URL. > > > > > In > > https://github.com/keycloak/keycloak/blob/4.1.0.Final/ > themes/src/main/resources/theme/base/login/login.ftl > > you can see the following line: > > > > <form id="kc-form-login" onsubmit="login.disabled = true; return true;" > > action="${url.loginAction}" method="post"> > > > > On my instance, this resolves to something similar to this: > > > > <form id="kc-form-login" onsubmit="login.disabled = true; return true;" > > action=" > > https://xx.xx.xx.xx:8443/auth/realms/master/login-actions/ > authenticate?session_code=tyvLn2J3QkM4YJhPzjYKnNLSG4ej89 > Xabvspm7nmubc&amp;execution=5c933fb0-b637-4462-a603- > bf9ffb601220&amp;client_id=security-admin-console&amp;tab_id=2tJInt2M5NE" > > method="post"> > > > > All "&" are encoded as &amp;. This became an issue for me, when I tried > to > > call the url via JavaScripts fetch method. With the same URL, I got a > > sevrer error. When changing the URL to: > > > > fetch("${url.loginAction?no_esc}", ...) > > > > it finally worked. > > > > Shouldn't all form-urls and href-urls not be escacped? What makes me > wonder > > is, that the same URL just works for regular post requests! For > > documentation on escaping you can find more information here: > > https://freemarker.apache.org/docs/dgui_quickstart_template. > html#dgui_quickstart_template_autoescaping > > > > Greetings, > > Felix > > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev -- Ein Produkt der Cap3 GmbH, Ringstr. 19, 24114 Kiel, Deutschland Registergericht: Amtsgericht Kiel, HRB 13257 Geschäftsführung: Felix Magedanz, Nicolas Günther, Bettual Richter, Sören Fenner _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev