[keycloak-dev] html encoded url in form actions - bug or feature?

Stian Thorgersen sthorger at redhat.com
Fri Jul 20 06:28:00 EDT 2018 

What are you actually trying to do? Are you scraping the url from the login
form? That's not really something you should be doing.

On Thu, 19 Jul 2018 at 10:46, Felix Meißner <felix.meissner at hanko.io> wrote:

> I expected URLs to be URL encoded, not HTML encoded. Nonetheless, I cannot
> find any facts on how URLs should be encoded inside HTML, so maybe I am
> wrong.
> The problem occured, when I used a HTML-encoded URL inside JavaScript.
> There, the URL will not be decoded before its sent to the server. When used
> in a form however, the browser will decode the URL before sending it.
>
> 2018-07-19 1:38 GMT+02:00 Stan Silvert <ssilvert at redhat.com>:
>
> > On 7/18/2018 2:37 AM, Felix Meißner wrote:
> > > Hi all,
> > >
> > > I just discovered that the action url of the login-form seems to get
> HTML
> > > encoded and I woundered, if thats a bug or a feature.
> > It's a security feature.  We take advantage of FreeMarker's "escape by
> > default" feature.  As you discovered, you can use ?no_esc to turn this
> off.
> >
> > I'm kind of interested in why fetch() didn't work.  The escaped version
> > should be valid as a URL.
> >
> > >
> > > In
> > > https://github.com/keycloak/keycloak/blob/4.1.0.Final/
> > themes/src/main/resources/theme/base/login/login.ftl
> > > you can see the following line:
> > >
> > > <form id="kc-form-login" onsubmit="login.disabled = true; return true;"
> > > action="${url.loginAction}" method="post">
> > >
> > > On my instance, this resolves to something similar to this:
> > >
> > > <form id="kc-form-login" onsubmit="login.disabled = true; return true;"
> > > action="
> > > https://xx.xx.xx.xx:8443/auth/realms/master/login-actions/
> > authenticate?session_code=tyvLn2J3QkM4YJhPzjYKnNLSG4ej89
> > Xabvspm7nmubc&amp;execution=5c933fb0-b637-4462-a603-
> > bf9ffb601220&amp;client_id=security-admin-console&amp;tab_id=2tJInt2M5NE"
> > > method="post">
> > >
> > > All "&" are encoded as &amp;. This became an issue for me, when I tried
> > to
> > > call the url via JavaScripts fetch method. With the same URL, I got a
> > > sevrer error. When changing the URL to:
> > >
> > > fetch("${url.loginAction?no_esc}", ...)
> > >
> > > it finally worked.
> > >
> > > Shouldn't all form-urls and href-urls not be escacped? What makes me
> > wonder
> > > is, that the same URL just works for regular post requests! For
> > > documentation on escaping you can find more information here:
> > > https://freemarker.apache.org/docs/dgui_quickstart_template.
> > html#dgui_quickstart_template_autoescaping
> > >
> > > Greetings,
> > > Felix
> > >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
> Ein Produkt der Cap3 GmbH, Ringstr. 19, 24114 Kiel, Deutschland
>
> Registergericht: Amtsgericht Kiel, HRB 13257
> Geschäftsführung: Felix
> Magedanz, Nicolas Günther, Bettual Richter, Sören Fenner
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list