Uploaded image for project: 'Click'
  1. Click
  2. CLK-653 Add Ajax support
  3. CLK-685

AbstractLink should only bind explicitly defined parameters for Ajax requests

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.3.0-M1
    • Component/s: core
    • Labels:
      None

      Description

      AbstractLink binds all incoming request parameters to its own parameter map. This makes the link quite easy to use but has the potential to leak parameters which isn't targeted at the link. It also duplicates the parameters already present on the Context.

      The problem becomes obvious when using Ajax to invoke a link. Any extra parameters passed for the Ajax request will be added to the link parameter map.

      It is not common for applications to use link.getParameter and with the above mentioned issues I suggest we remove getParameter, getParameterValues and getParameters from AbstractLink. Click won't bind incoming request parameters to the link. However it will still be possible to set link parameters and render them.

      See http://click.1134972.n2.nabble.com/AbstractLink-request-parameter-leak-tp5139164p5139164.html for more details.

        Attachments

          Activity

            People

            • Assignee:
              sabob Bob Schellink
              Reporter:
              sabob Bob Schellink
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: