New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) #27
Conversation
thanks, really appreciate new contributors! i just wonder if we could implement it without always creating a new String? (we could just loop the char array) WDYT @pnicolucci @ebreijo ? |
@tandraschko I think since Strings are immutable you will have no choice but to create a new String but I could be wrong. |
Of course - but this methods uses char and char[]:
There is no need to wrap it by a string |
Ahh I see what you mean just override those write methods and process each char. |
Sorry, I don't see any problem here since Edit: @tandraschko Okay, now I see, just added another commit. 😉 |
cool :D I'm a just a bit unsure... The current version will work but maybe it's a bit "unattractive".
JFYI: you can also use a for-each loop when looping over arrays, we just avoid it on ArrayLists, to avoid a iterator instance (ArrayLists are used for component lists e.g. and the component tree is traversed very often) |
I think the remaining
I am a bit confused as this statement seems to be in contrast to what you have written in your first review. Afterwards I changed the behavior in c89e67f to fit your requirement.
Ok, good to know. However, in this special case it's probably necessary to have a counter since we don't want to copy the array, instead we want to modify the contents of the existing array. |
I just wonder if we should replace the invalid char by a blank instead of empty? Not sure... |
mod: added test for writeAttribute
Provided another test for
Done.
Also considered this. However, it would complicate things since array lengths might change then. When looking at OWASP's encoder you'll find they also replace illegal characters by spaces. |
Fixes
Related to
@tandraschko Could you please check that and - if accepted - merge it to the other branches as well?