• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

encoding URL in (href element of) JSP without scriptlets

 
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I've found a similar topic but answer was in scriptlets / not completely relevant.

Here is the scenario.
I pass 'fwdUrl' variable as request parameter to a JSP (confirm.jsp) and when the user clicks on 'confirm' button then it forwards the request to the path specified in 'fwdUrl' parameter.

(button stuff) <a href="<c:out value="${param.fwdUrl}"/>><span>Confirm</span></a> (/button stuff)

Problem : fwdUrl contains an encrypted value (as request param) so +,=, etc are possible. When user clicks on 'confirm' button, the request is forwarded to an ActionServlet but it's receiving damaged encrypted value.

For ex:
- Value found in browser URL tab : uD2+reYclBs=
- Value received on server side : uD2 reYclBs= [damaged as the + sign was replaced by a space] .

Above stuff was happening, so request param really exists.

Please help, what could be done? and ofcourse no scriptlets ;)

 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Help please,

Note: the 'fwdUrl' parameter was being encoded on server side before it's being sent to the confirm.jsp

So, I suspect, <c:out > is decoding it implicitly.

Any leads?

---update---

When I used scriptlets in confirm.jsp (to know what's going on ) -

<%= request.getQueryString() %> : the fwdUrl param in the output is encoded
<%= request.getParameter("fwdUrl") %> : the output is plain, not encoded.

Please help, what can I do to encode 'fwdUrl' in the JSP.
 
Sheriff
Posts: 67753
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, <c:out> will HTML-encode the output by default. If that's not what you want, turn it off, or don;t use <c:out>.
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you Bibeault.

Yeah, I suspected. Anyhow, even if the request.getParameter("") / ${param.xyz} decodes the respective string.

So, how am I supposed to succeed in the <a href="encoded URL here"> scenario.

encoded URL is one of the request parameters. That's why I was using - href="<c:out value="${param.fwdUrl}"/>"

Help!
 
Bear Bibeault
Sheriff
Posts: 67753
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You are confusing HTML-encoding with URL-encoding.
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Hmm, I am sorry.

I try not to waste time, by keeping it simple.

Ex url : www.host.com/action.do?encryptedvalue=uD2+reYclBs=

This is the URL (stored in the form of request param).

How should I link the above with href? (in a JSP)

If I use directly, then am missing '+' value on the server side as the container processes the text received.
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Help please!

- How to encode URL without using scriptlets in a JSP. Using, c:url is not possible as I hold the complete URL in a single string object. (not host, params seperately)
 
Bear Bibeault
Sheriff
Posts: 67753
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You'll need to properly URL-encode the param value while creating the string value. Once it's a string, as you have surmised, you're out of luck.
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for your reply Bibeault.

This is encouraging, sight of solution.

-> What did you mean when you specified - proper URL encoding.

-> I did encode it using URLEncoder before I pass it as a request parameter. But, by the time it reaches interim confirm.jsp, it's automatically decoded into plain string, by the container.

-> Should I be using any other encoder? Does it serve the purpose?
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

How do I properly-encode URL?
 
Bear Bibeault
Sheriff
Posts: 67753
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
URLEncoder is the right way to do it. Be sure that you only encode names and values (not the delimiters and not the base URL).
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks,

Steps I've followed

1) fwdUrl = www.host.com/app/action.do?encryptedParam=uD2+reYclBs=
- I've encoded 'encryptedParam' using URLEncoder. ->: www.host.com/app/action.do?encryptedParam=uD2%2BreYclBs%3D
- passed it to a confirm.JSP as a request parameter.

2) In the confirm.JSP, when user clicks on confirm button, then we forward the request to the path provided in 'fwdUrl' request param

3) In the confirm.JSP, I used - href=${param.fwdUrl}
- Here, the fwdUrl was automatically decoded by the container as it's a request parameter. So, the source code of confirm.jsp on client side was like following -
- href="www.host.com/app/action.do?encryptedParam=uD2+reYclBs="
- When the user clicks on href-link; on the server side, i received the value of 'encryptedParam' as 'uD2 reYclBs=' [+ was replaced by space.]

So, the encryptedParam was damaged.


Please help.


 
Bear Bibeault
Sheriff
Posts: 67753
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Phani Kumar R wrote:2) In the confirm.JSP, when user clicks on confirm button, then we forward the request to the path provided in 'fwdUrl' request param


Impossible. You can't forward from the client. What's really going on here? Being imprecise isn't going to help us help you.
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Might be a wrong choice of word.

1) In the confirm.jsp we have a 'confirm' hyper-link (designed fancily to appear as a button).

2) confirm.jsp uses the value of fwdUrl request param as the path of the hyper link.

3) <a href="${param.fwdUrl}">

4) User clicks on the hyperlink.

Note: I wrote that I send fwdUrl as a request parameter to confirm.jsp from ServletA.
- I used following scritplet in confirm.jsp for debugging.

<%= request.getParameter("fwdUrl") %> : the output of fwdUrl is plain, not encoded.

So, I am looking to

1)encode 'fwdUrl' again there itself in href element of JSP

OR

2) follow some alphanumeric encoding in the ServletA itself, so that fwdUrl will not be decoded by the container before passing it to confirm.jsp.

I hope, I did not make any mistakes this time
 
Bear Bibeault
Sheriff
Posts: 67753
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What does step (3) look like when rendered in the HTML?
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator


Step 3)

rendered value of confirm.jsp in browser was -

-> href="www.host.com/app/action.do?encryptedParam=uD2+reYclBs="

- where as I need like following:

-> href="www.host.com/app/action.do?encryptedParam=uD2%2BreYclBs%3D"

So, any lead?
 
Bartender
Posts: 1845
10
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Here is one suggestion for you:
encode the url twice.

ie your base url is: www.host.com/app/action.do?encryptedParam=uD2+reYclBs=

You encode the parameter value so you have: www.host.com/app/action.do?encryptedParam=uD2%2BreYclBs%3D
Now encode the whole url to send it as a request parameter: www.host.com%2Fapp%2Faction.do%3FencryptedParam%3DuD2%252BreYclBs%253D

When you send the entire url as a request parameter, it will decode it once, to a value you can just c:out onto the page
That value has the parameter encoded already, and thus should "just work"

Here is a simple short code example
 
Bear Bibeault
Sheriff
Posts: 67753
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK, so it's clear where the decoding is happening now. Is there a reason that you are passing the embedded URL as a parameter? Can you not perhaps pass it as a scoped variable (in which case the automatic decoding is circumvented)?

If not, you may need to doubly-encode the value so that it ends up correct in the HTML.
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Actually, we send an email - in which we include this 'fwdUrl' to unsubscribe from alerts. So, no session, etc being persisted.

unsubscribe url will be something like :

www.host.com/app/confirmUnsubscribe.do?fwdUrl=www.host.com/app/action.do?encryptedParam=uD2%2BreYclBs%3D"


I guess, now you can get the whole scenario.
 
Bear Bibeault
Sheriff
Posts: 67753
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ah. You can look into doubly-encoding the value.
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you very much Bear Bibeault.

I will try deploying it.

 
Bear Bibeault
Sheriff
Posts: 67753
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Let us know how it works out.
 
Phani Kumar R
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Great idea Bear Bibeault!!

Multiple encoding works perfectly.

But, I've got a gotcha which might help others.

1) When we use <c:out value="${param.fwdUrl}">
- fwdUrl is being decoded once by the Expression language i.e ${param.fwdUrl}
- the decoded output is being decoded again by the JSTL i.e <c:out>.

So, be aware, if not.

2) As it's becoming complex, encoding it multiple times, I've stepped back to standard way and modified the legacy code [that sends fwdUrl as a single request param]
Steps I've followed:

a) I broke fwdUrl into two parts: "host+app+normal parameters" and "encrypted parameters"

b) so, the URL would look like :
- www.host.com/app/confirm.do?encryptedParam1=mystic1&encryptedParam2=mystic2&fwdUrl=www.host.com/app/action.do?

c) In the confirm.jsp I've used standard <c:url> and <c:param> combination.



And, it's working :).

Thanks a lot for your time.

 
Bear Bibeault
Sheriff
Posts: 67753
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
 
reply
    Bookmark Topic Watch Topic
  • New Topic