URLs with query params should have & escaped #11
Comments
|
Should we assume that a function like replaceCurrentQueryParam will always use an HTML escaped string? |
|
Possibly. Under what circumstances would it not be presented as HTML? |
|
The FreemarkerURLHelper can be used to generate JavaScript, XML, JSON ... |
|
Right. I suppose we might eventually generate those views. Well, what about escaping the URLs in the HTML views? Does FreeMarker have a helper method? Both ?html and ?url('UTF-8') aren't quite the right solution IMO because they're too greedy. |
|
Freemarker helper method is ?html. Why too greedy? |
|
We could also escape the whole block and maybe the whole file through configuration. |
|
Argh. Never mind re: too greedy. I confused a quick little ?html output with output from ?url('UTF-8'). Looks like ?html is exactly what we want. http://freemarker.org/docs/ref_builtins_string.html#ref_builtin_html |
|
that's what I did in the last commit but an escape block would be even better (for the eyes). Anyway, those lines will need a macro at some point. |
|
Yes, and ?html or an escape directive will have to be used throughout the app eg language switcher, content from data providers, etc. Essentially anywhere we might render a URL. |
In the goc branch and perhaps elsewhere (eg https://github.com/Canadensys/canadensys-explorer/blob/goc/src/main/webapp/WEB-INF/view/view-stats.ftl#L22), the URLs returned from URL.replaceCurrentQueryParam & URL.replaceCurrentQueryParams should have their ampersands escaped as &
The text was updated successfully, but these errors were encountered: