[keycloak-dev] html encoded url in form actions - bug or feature?
Stan Silvert
ssilvert at redhat.com
Wed Jul 18 19:38:27 EDT 2018
On 7/18/2018 2:37 AM, Felix Meißner wrote:
> Hi all,
>
> I just discovered that the action url of the login-form seems to get HTML
> encoded and I woundered, if thats a bug or a feature.
It's a security feature. We take advantage of FreeMarker's "escape by
default" feature. As you discovered, you can use ?no_esc to turn this off.
I'm kind of interested in why fetch() didn't work. The escaped version
should be valid as a URL.
>
> In
> https://github.com/keycloak/keycloak/blob/4.1.0.Final/themes/src/main/resources/theme/base/login/login.ftl
> you can see the following line:
>
> <form id="kc-form-login" onsubmit="login.disabled = true; return true;"
> action="${url.loginAction}" method="post">
>
> On my instance, this resolves to something similar to this:
>
> <form id="kc-form-login" onsubmit="login.disabled = true; return true;"
> action="
> https://xx.xx.xx.xx:8443/auth/realms/master/login-actions/authenticate?session_code=tyvLn2J3QkM4YJhPzjYKnNLSG4ej89Xabvspm7nmubc&execution=5c933fb0-b637-4462-a603-bf9ffb601220&client_id=security-admin-console&tab_id=2tJInt2M5NE"
> method="post">
>
> All "&" are encoded as &. This became an issue for me, when I tried to
> call the url via JavaScripts fetch method. With the same URL, I got a
> sevrer error. When changing the URL to:
>
> fetch("${url.loginAction?no_esc}", ...)
>
> it finally worked.
>
> Shouldn't all form-urls and href-urls not be escacped? What makes me wonder
> is, that the same URL just works for regular post requests! For
> documentation on escaping you can find more information here:
> https://freemarker.apache.org/docs/dgui_quickstart_template.html#dgui_quickstart_template_autoescaping
>
> Greetings,
> Felix
>
More information about the keycloak-dev
mailing list