wood burning stoves 2.0*
The moose likes JSP and the fly likes encoding URL in (href element of) JSP without scriptlets Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "encoding URL in (href element of) JSP without scriptlets" Watch "encoding URL in (href element of) JSP without scriptlets" New topic
Author

encoding URL in (href element of) JSP without scriptlets

Phani Kumar R
Greenhorn

Joined: Dec 09, 2010
Posts: 24
Hi,
I've found a similar topic but answer was in scriptlets / not completely relevant.

Here is the scenario.
I pass 'fwdUrl' variable as request parameter to a JSP (confirm.jsp) and when the user clicks on 'confirm' button then it forwards the request to the path specified in 'fwdUrl' parameter.

(button stuff) <a href="<c:out value="${param.fwdUrl}"/>><span>Confirm</span></a> (/button stuff)

Problem : fwdUrl contains an encrypted value (as request param) so +,=, etc are possible. When user clicks on 'confirm' button, the request is forwarded to an ActionServlet but it's receiving damaged encrypted value.

For ex:
- Value found in browser URL tab : uD2+reYclBs=
- Value received on server side : uD2 reYclBs= [damaged as the + sign was replaced by a space] .

Above stuff was happening, so request param really exists.

Please help, what could be done? and ofcourse no scriptlets ;)

Phani Kumar R
Greenhorn

Joined: Dec 09, 2010
Posts: 24
Help please,

Note: the 'fwdUrl' parameter was being encoded on server side before it's being sent to the confirm.jsp

So, I suspect, <c:out > is decoding it implicitly.

Any leads?

---update---

When I used scriptlets in confirm.jsp (to know what's going on ) -

<%= request.getQueryString() %> : the fwdUrl param in the output is encoded
<%= request.getParameter("fwdUrl") %> : the output is plain, not encoded.

Please help, what can I do to encode 'fwdUrl' in the JSP.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60766
    
  65

Yes, <c:out> will HTML-encode the output by default. If that's not what you want, turn it off, or don;t use <c:out>.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Phani Kumar R
Greenhorn

Joined: Dec 09, 2010
Posts: 24
Thank you Bibeault.

Yeah, I suspected. Anyhow, even if the request.getParameter("") / ${param.xyz} decodes the respective string.

So, how am I supposed to succeed in the <a href="encoded URL here"> scenario.

encoded URL is one of the request parameters. That's why I was using - href="<c:out value="${param.fwdUrl}"/>"

Help!
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60766
    
  65

You are confusing HTML-encoding with URL-encoding.
Phani Kumar R
Greenhorn

Joined: Dec 09, 2010
Posts: 24

Hmm, I am sorry.

I try not to waste time, by keeping it simple.

Ex url : www.host.com/action.do?encryptedvalue=uD2+reYclBs=

This is the URL (stored in the form of request param).

How should I link the above with href? (in a JSP)

If I use directly, then am missing '+' value on the server side as the container processes the text received.
Phani Kumar R
Greenhorn

Joined: Dec 09, 2010
Posts: 24
Help please!

- How to encode URL without using scriptlets in a JSP. Using, c:url is not possible as I hold the complete URL in a single string object. (not host, params seperately)
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60766
    
  65

You'll need to properly URL-encode the param value while creating the string value. Once it's a string, as you have surmised, you're out of luck.
Phani Kumar R
Greenhorn

Joined: Dec 09, 2010
Posts: 24
Thanks for your reply Bibeault.

This is encouraging, sight of solution.

-> What did you mean when you specified - proper URL encoding.

-> I did encode it using URLEncoder before I pass it as a request parameter. But, by the time it reaches interim confirm.jsp, it's automatically decoded into plain string, by the container.

-> Should I be using any other encoder? Does it serve the purpose?
Phani Kumar R
Greenhorn

Joined: Dec 09, 2010
Posts: 24

How do I properly-encode URL?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60766
    
  65

URLEncoder is the right way to do it. Be sure that you only encode names and values (not the delimiters and not the base URL).
Phani Kumar R
Greenhorn

Joined: Dec 09, 2010
Posts: 24
Thanks,

Steps I've followed

1) fwdUrl = www.host.com/app/action.do?encryptedParam=uD2+reYclBs=
- I've encoded 'encryptedParam' using URLEncoder. ->: www.host.com/app/action.do?encryptedParam=uD2%2BreYclBs%3D
- passed it to a confirm.JSP as a request parameter.

2) In the confirm.JSP, when user clicks on confirm button, then we forward the request to the path provided in 'fwdUrl' request param

3) In the confirm.JSP, I used - href=${param.fwdUrl}
- Here, the fwdUrl was automatically decoded by the container as it's a request parameter. So, the source code of confirm.jsp on client side was like following -
- href="www.host.com/app/action.do?encryptedParam=uD2+reYclBs="
- When the user clicks on href-link; on the server side, i received the value of 'encryptedParam' as 'uD2 reYclBs=' [+ was replaced by space.]

So, the encryptedParam was damaged.


Please help.


Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60766
    
  65

Phani Kumar R wrote:2) In the confirm.JSP, when user clicks on confirm button, then we forward the request to the path provided in 'fwdUrl' request param

Impossible. You can't forward from the client. What's really going on here? Being imprecise isn't going to help us help you.
Phani Kumar R
Greenhorn

Joined: Dec 09, 2010
Posts: 24
Might be a wrong choice of word.

1) In the confirm.jsp we have a 'confirm' hyper-link (designed fancily to appear as a button).

2) confirm.jsp uses the value of fwdUrl request param as the path of the hyper link.

3) <a href="${param.fwdUrl}">

4) User clicks on the hyperlink.

Note: I wrote that I send fwdUrl as a request parameter to confirm.jsp from ServletA.
- I used following scritplet in confirm.jsp for debugging.

<%= request.getParameter("fwdUrl") %> : the output of fwdUrl is plain, not encoded.

So, I am looking to

1)encode 'fwdUrl' again there itself in href element of JSP

OR

2) follow some alphanumeric encoding in the ServletA itself, so that fwdUrl will not be decoded by the container before passing it to confirm.jsp.

I hope, I did not make any mistakes this time
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60766
    
  65

What does step (3) look like when rendered in the HTML?
Phani Kumar R
Greenhorn

Joined: Dec 09, 2010
Posts: 24


Step 3)

rendered value of confirm.jsp in browser was -

-> href="www.host.com/app/action.do?encryptedParam=uD2+reYclBs="

- where as I need like following:

-> href="www.host.com/app/action.do?encryptedParam=uD2%2BreYclBs%3D"

So, any lead?
Stefan Evans
Bartender

Joined: Jul 06, 2005
Posts: 1016
Here is one suggestion for you:
encode the url twice.

ie your base url is: www.host.com/app/action.do?encryptedParam=uD2+reYclBs=

You encode the parameter value so you have: www.host.com/app/action.do?encryptedParam=uD2%2BreYclBs%3D
Now encode the whole url to send it as a request parameter: www.host.com%2Fapp%2Faction.do%3FencryptedParam%3DuD2%252BreYclBs%253D

When you send the entire url as a request parameter, it will decode it once, to a value you can just c:out onto the page
That value has the parameter encoded already, and thus should "just work"

Here is a simple short code example
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60766
    
  65

OK, so it's clear where the decoding is happening now. Is there a reason that you are passing the embedded URL as a parameter? Can you not perhaps pass it as a scoped variable (in which case the automatic decoding is circumvented)?

If not, you may need to doubly-encode the value so that it ends up correct in the HTML.
Phani Kumar R
Greenhorn

Joined: Dec 09, 2010
Posts: 24

Actually, we send an email - in which we include this 'fwdUrl' to unsubscribe from alerts. So, no session, etc being persisted.

unsubscribe url will be something like :

www.host.com/app/confirmUnsubscribe.do?fwdUrl=www.host.com/app/action.do?encryptedParam=uD2%2BreYclBs%3D"


I guess, now you can get the whole scenario.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60766
    
  65

Ah. You can look into doubly-encoding the value.
Phani Kumar R
Greenhorn

Joined: Dec 09, 2010
Posts: 24
Thank you very much Bear Bibeault.

I will try deploying it.

Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60766
    
  65

Let us know how it works out.
Phani Kumar R
Greenhorn

Joined: Dec 09, 2010
Posts: 24
Great idea Bear Bibeault!!

Multiple encoding works perfectly.

But, I've got a gotcha which might help others.

1) When we use <c:out value="${param.fwdUrl}">
- fwdUrl is being decoded once by the Expression language i.e ${param.fwdUrl}
- the decoded output is being decoded again by the JSTL i.e <c:out>.

So, be aware, if not.

2) As it's becoming complex, encoding it multiple times, I've stepped back to standard way and modified the legacy code [that sends fwdUrl as a single request param]
Steps I've followed:

a) I broke fwdUrl into two parts: "host+app+normal parameters" and "encrypted parameters"

b) so, the URL would look like :
- www.host.com/app/confirm.do?encryptedParam1=mystic1&encryptedParam2=mystic2&fwdUrl=www.host.com/app/action.do?

c) In the confirm.jsp I've used standard <c:url> and <c:param> combination.



And, it's working :).

Thanks a lot for your time.

Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60766
    
  65

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: encoding URL in (href element of) JSP without scriptlets
 
Similar Threads
stylesheet messed up in richfaces JSF page
dynamically create href link
JSP save as Excel File after displaying data
exchanging encrypted values as request parameters.
How to disable a href link after it is clicked once