2008/1/14, GF <[EMAIL PROTECTED]>: > I think that there are 2 issues. Both important. One in s:url and the > other in s:a > > s:url generates a URL that can contain a malicious query string (it > doesn't encode anything except what is passed with s:param). And this > is not good, mainly because when someone says encode=true, hes expect > to receive a safe URL.
I think that there are two levels of encoding: 1) in s:url, the parameters values must be encoded, to create a valid (and safe) URL. 2) in s:a, the whole URL must be encoded, simply because it is used inside an HTML element (<a>) between double quotes. For example, '&' becomes & I suppose that, if this encoding is followed this way, the created URLs can be considered "safe". Antonio --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
