My current request URL is domain.com/my-action?p1=1&p2=2 and I want to make an anchor like domain.com/my-action?p1=1&p2=2#anchor
I tried to use <a th:href="#{__${#request.requestURI}__#anchor}">My anchor with full query string</a>
or <a th:href="#{__${#request.queryString}__#anchor}">My anchor with full query string</a>
or without preprocessing expression like <a th:href="${#request.queryString} + '#anchor'">My anchor with full query string</a>
and <a th:href="${#request.requestURI} + '#anchor'">My anchor with full query string</a>
This doesn't work in the two cases:
No problem with the requestURI but the link is without query string parameters (domain.com/my-action#anchor)
with the queryString the template fail on parsing and I have an error in console that say "Access to request parameters is forbbiden in this context. Not some restrictions apply to variable access. For exampledirect access to request parameters is forbbiden in preprocessing and unescaped expressions, in TEXT template mode, in fragment insertion specifications, and in some specific attributes processors."
My search result about this problem returns this issue: https://github.com/thymeleaf/thymeleaf/issues/648 but I don't understand how to fix that.
If someone has an idea about how to make this anchor link as well ;)
EDIT: My application is a spring boot 2.2.2 application with spring-boot-starter-thymeleaf ; thymeleaf-3.0.11.REALEASE ; thymeleaf-expression-processor-1.1.3 and thymeleaf-layout-dialect-2.4.1
Related
I need an image loaded onto a html img tag using thymeleaf. The problem is, the image itself is obtained from a url which takes in two parameters.
Sample:
<img src="/products/images?categoryId=1&image=1" />
The trouble is, the image parameter is generated dynamically and hence I need to use a thymeleaf expression there. Therefore I tried something like this:
<img th:src="#{'/products/images?categoryId=1&image=' + ${product.id}}" />
But when I run this, I get the following message:
Exception parsing document: template="product-list", line 104 - column 59
Which points to the location where the '&' symbol occurs. Now, I have tried using '& amp;' but then, the url becomes something like
/products/images?categoryId=1&image=1
Obviously, this is not going to work.
So how else do I make a valid link with two parameters using thymeleaf then?
This can easily done by Thymeleaf. Don't concatenate strings and
simply use #{'/products/images'(categoryId=1, image= ${product.id})}
See the documentation.
The way that you escape an ampersand & in any html attribute is &. Actually you should always escape ampersands in all html attributes whether you are using Thymeleaf or not.
See this question for more details and references:
Do I encode ampersands in <a href...>?
When I use url helper to generate url for route with query params and then add that url to link href, validator warns me, that there is unescaped & in attribute:
▲
I tried to search but still I'm not sure who is responsible for escaping that.
Router generates url but that might be used anywhere, not only in html attribute, so it correctly does no escaping in his case.
Url helper does not change anything in that url but it is meand for use in html so it might done here
View template - there url is put inside href attribute, so it might be here too
I couldn't find any clue how to decide this and if fill an issue with zf2 about this.
EDIT: html/php code from paginator
<<
generates html
<<
and from what I found it should be
<<
I would argue that the current behavior (not HTML entity encoding) is correct and it is up to the developer to encode HTML entities, when appropriate.
For instance you may want to use the view helper inside a <script> tag, where the HTML entities would be uncalled for.
I'm using angularjs on a rather large flat documentation page. The page has some navigation thats designed to use traditional url hash links. The urls look like so:
/documentation/flat#26166276-basic-events
These urls get rewritten once the navigation occurs and i've hit the next page. angular initializes to something like:
/documentation/flat#/26166276-basic-events
This breaks the navigation. It seems to work if I am already on the /documentation/flat path and hit one of the hash urls. It gets rewritten but the browser still focus's on the correct section of the page.
However if the the hash url is triggered from a different path the browser will not focus on the correct DOM element as the angularjs rewrite happens.
Edit: this is what the markup for a link looks like
Basic Events
<h1 class="chap-header" id="26166276-basic-events">2.1.0 Basic Events</h1>
This topic was further discussed here:
How to handle anchor hash linking in AngularJS
I used a variation from that thread
if $location.$$url[0]== '#'
$location.hash($location.$$url.replace('#', ''))
$anchorScroll()
that basically lets me prefix any anchor links with an additional # and angularjs treats them as traditional anchor
There is a very silly solution: put a / at the start of the anchor id!
<a id='/my-id' />
I've become dumbfounded by this. This might be something that I've just assumed worked all along, but in fact has never worked.
I've got an anchor link on a page [Activities] and later on the page I have the anchor <a name="activities"></a>. This is the URL of the page: https://iassid.org/index.php?option=com_content&id=216
For some reason, the anchor link on the page brings the user back to https://iassid.org/index.php#activities
Has removing the query string always been normal behavior? The href in the anchor tag doesn't include anything but the hash, why would it even assume to go off the page? Why does it go back to the original URL without the query string? Is there any way to get this to work without putting the entire URL including the query string in the URL as well? I'm trying to make this easy for someone who isn't very familiar with HTML, so using onclick events and other options aren't desired.
Maybe I've just been crazy to assume this would work all along! Thanks for any insights.
What is the best way to sanitize an attribute value in rails? The code looks something like this:
<img alt="<%= h 'untrusted-data' %>" src="image-source-here" />
I am specifically concerned about Rule #2 and Rule #3 given on owasp.net XSS prevention cheat sheet.
Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
Is html_escape method enough for the purpose? For some reason I cant use the tag method provided by TagHelper here. Using Rails 2.3.5 version.
Yes, it's good enough. (with another " though but I guess it's a typo :)
<img alt="<%=h untrusted %>" src="img.png" />
h will prevent untrusted to contain " and replace it by " so that the attacker will be unable to go out of the alt attribute. Moreover, she will also be unable to exploit something by the alt attribute as no parsing is done in it.
For example, it would be different if it was in a a's href attribute, in which case the attacker would have been able to run some javascript code when clicked even without be able to go out of the attribute. (like javascript:alert(/XSSed/);)