Bug 32335 - c:url does not Encode unsafe characters
Summary: c:url does not Encode unsafe characters
Status: RESOLVED INVALID
Alias: None
Product: Taglibs
Classification: Unclassified
Component: Standard Taglib (show other bugs)
Version: 1.0.6
Hardware: PC Windows XP
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-21 21:16 UTC by Walter So
Modified: 2005-12-06 15:31 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Walter So 2004-11-21 21:16:44 UTC
if I have a string "#AAAA", when I use <c:url value="#AAAA" var="enc" />, the 
value of "enc" remains "#AAAA". When passed in the query string, the value gets 
ignored.  <c:url> should follow the behavior of URLEncoder.encode(), which 
properly converts the unsafe characters
Comment 1 Pierre Delisle 2005-12-07 00:31:09 UTC
Walter,

<c:url> has been spec'ed to only do URL rewriting.

More specifically, the JSTL spec says:
  "The rewriting must be performed by calling method encodeURL() 
  of the Servlet API."

And the servlet spec does not make any provision to encode
any special character. 

    public String HttpServletResponse.encodeURL(String url)

    This method encodes (rewrites) the specified URL to include the
    session ID and returns the new URL, or, if encoding is not needed
    or not supported, it leaves the URL unchanged. The rules used to
    decide when and how to encode a URL are server-specific. All URLs
    emitted by a servlet should be run through this method. Note that
    this encodeURL( ) method could more properly have been named
    rewriteURL( ) so as not to be confused with the URL encoding
    process that encodes special characters in URL strings.

The call to URLEncoder.encode() must be done explicitely.

However, I do agree it would be convenient if <c:url> not only
did the rewriting, but the encoding as well. Not clear to me why 
the Expert Group did not think of this at the time.

I've submitted an RFE to the JSTL spec so it can be considerered.

See:
https://jstl-spec-public.dev.java.net/issues/show_bug.cgi?id=22

Thanks!  -- Pierre