Opensocial gadget ifr URLs (/nuxeo/opensocial/gadgets/ifr?) created with unencoded parameters: parent, permission, url

It appears that Opensocial gadget ifr URLs (/nuxeo/opensocial/gadgets/ifr?) are being created with the following parameters unencoded: parent, permission, and url. The parent and url parameters are of type url and should therefore clearly be encoded. The permission parameter begins and ends with unsafe characters '[' and ']' and should therefore be encoded as well.

An initial review identifies the following source files as candidates for the following patches:

1. https://github.com/nuxeo/nuxeo-opensocial/blob/master/nuxeo-opensocial-spaces/src/main/java/org/nuxeo/opensocial/container/server/utils/UrlBuilder.java - buildShindigUrl() should URLEncoder.encode values associated with PERMISSION_KEY, PARENT_KEY, and URL_KEY

2. https://github.com/nuxeo/nuxeo-opensocial/edit/4df79efe3e9af5bd45601cd26f3d45ee9c51b1eb/nuxeo-opensocial-container/src/main/java/org/nuxeo/opensocial/container/client/external/opensocial/OpenSocialPresenter.java - setPermissions() should use URLEncoder.encode on '[]' characters

Please provide feedback regarding this approach to implementing a patch.