Details

    • Type: Sub-task Sub-task
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Not A Problem
    • Affects Version/s: Release 4.0, Trunk
    • Fix Version/s: None
    • Component/s: framework
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      The bug is explained here: http://markmail.org/message/qoxevijc45yhaixo
      Can someone with framework access commit it please.

      Thanks,
      Bilgin

      1. encode.patch
        2 kB
        Bilgin Ibryam
      2. encode.patch
        5 kB
        Bilgin Ibryam

        Issue Links

          Activity

          Hide
          Jacques Le Roux added a comment -

          Of course this could be considered for still supported older releases, but, since nobody took care for 8 years, I guess it's not a problem

          Show
          Jacques Le Roux added a comment - Of course this could be considered for still supported older releases, but, since nobody took care for 8 years, I guess it's not a problem
          Hide
          Jacques Le Roux added a comment - - edited

          It's always interesting to review old issues. Actually we are now (since r1655803 for OFBIZ-5312) in the reverse situation. By default we don't use jsessionId with <@ofbizUrl>. It now depends on the <jsessionid> parameter in Seo Config (SeoConfig.xml), because <@ofbizUrl> is associated with UrlRegexpTransform

          It's a good thing. Because using a session id to identify and follow a session is now a deprecated technique (notably for security reason, see the OWASP link in this stackoverflow question for details) and everybody use cookies (try to work a complete day with cookies disabled for an experience ).

          So I close this issue as not a problem.

          Show
          Jacques Le Roux added a comment - - edited It's always interesting to review old issues. Actually we are now (since r1655803 for OFBIZ-5312 ) in the reverse situation. By default we don't use jsessionId with <@ofbizUrl>. It now depends on the <jsessionid> parameter in Seo Config (SeoConfig.xml), because <@ofbizUrl> is associated with UrlRegexpTransform It's a good thing. Because using a session id to identify and follow a session is now a deprecated technique (notably for security reason, see the OWASP link in this stackoverflow question for details) and everybody use cookies (try to work a complete day with cookies disabled for an experience ). So I close this issue as not a problem.
          Hide
          Pierre Smits added a comment -

          Jacques Le Roux The issue and the associated patch(es) are soon 8 years old. Patches have a limited shelf life.

          Show
          Pierre Smits added a comment - Jacques Le Roux The issue and the associated patch(es) are soon 8 years old. Patches have a limited shelf life.
          Hide
          Jacques Le Roux added a comment -

          Hi Bilgin, why this was never done finally? Unfortunately the patch does not apply at all...

          Show
          Jacques Le Roux added a comment - Hi Bilgin, why this was never done finally? Unfortunately the patch does not apply at all...
          Hide
          Bilgin Ibryam added a comment -

          Adrian you are right,
          but setting encode attribute to false for external links should solve this issue?

          Show
          Bilgin Ibryam added a comment - Adrian you are right, but setting encode attribute to false for external links should solve this issue?
          Hide
          Adrian Crum added a comment -

          Bilgin,

          My concern is with external links - will the jsessionid parameter get appended to them also.

          Show
          Adrian Crum added a comment - Bilgin, My concern is with external links - will the jsessionid parameter get appended to them also.
          Hide
          Bilgin Ibryam added a comment -

          Adrian,

          I updated the patch according to your remarks.
          Can you tell me what kind of existing code this patch could break?

          Thanks for your review and comments!

          Show
          Bilgin Ibryam added a comment - Adrian, I updated the patch according to your remarks. Can you tell me what kind of existing code this patch could break? Thanks for your review and comments!
          Hide
          Adrian Crum added a comment -

          Bilgin,

          I'd like to hear more comments on the subject. Your patch only changes the default in the widget's xsd, it doesn't address the scenario where the xsd is not available. To handle that case, the model widgets would have to default the setting to true also. That could break a lot of existing code.

          Show
          Adrian Crum added a comment - Bilgin, I'd like to hear more comments on the subject. Your patch only changes the default in the widget's xsd, it doesn't address the scenario where the xsd is not available. To handle that case, the model widgets would have to default the setting to true also. That could break a lot of existing code.

            People

            • Assignee:
              Jacques Le Roux
              Reporter:
              Bilgin Ibryam
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development

                  Agile