Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-8916

src attribute url in *.xhtml script tags include unsafe characters and are therefore not compliant with RFC1738

    XMLWordPrintable

    Details

      Description

      Numerous Nuxeo xhtml files have script tags with a src attribute url that is not encoded. For example, see line 24 in nuxeo-user-activity-stream/src/main/resources/web/nuxeo.war/incl/includes.xhtml:

      <script type="text/javascript" src="#

      {baseURL}

      js/?scripts=confirmAlerts.js|DragAndDrop.js|tableSelections.js|customSeamRemotingWaiter.js|custom-javascript.js|default-contextmenu-actions.js|custom-contextmenu-actions.js|tooltip.js"></script>

      The url includes the vertical pipe/bar character '|' which is "unsafe" and should be encoded as %7C. Other xhtml files have this problem as well. According to RFC1738:

      All unsafe characters must ALWAYS be encoded within a URL.

      This compliance violation causes problems for downstream gateways and other transport agents.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: