Uploaded image for project: '[Read Only] - Hippo Site Toolkit 2'
  1. [Read Only] - Hippo Site Toolkit 2
  2. HSTTWO-3897

Disallow GET requests for actionURLs

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • 4.1.0, 13.4.1
    • 13.4.2, 14.0.0, 14.1.0
    • None
    • Flagged
    • Puma Sprint 226

    Description

      If the URL as rendered by the <hst:actionURL /> tag is performed as GET request (e.g. by calling the URL from the browser), the components doAction() method is called.

      This is unexpected and probably not desirable: we recommend using POSTs for action URLs in [1].

      Note that for <form> elements with a method=get atribute, a submit will not lead to calling doAction() because the _hn:type=action parameter is not present in the request (only form parameters are sent).

      [1] https://documentation.bloomreach.com/library/concepts/component-development/hst-2-forms.html

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. HSTTWO-1831 actionURL is hard for infra to support in combination with https filter and proxies

          • High - High priority, expected behaviour required often required for other tasks
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. CMS-12890 By default, only allow POST method for ActionURL

          • Normal - Normal priority, tasks to be done before next intermediate release
          • Closed

          Activity

            People

              Unassigned Unassigned
              jhoffman Jeroen Hoffman
              Hippo Helpdesk Hippo Helpdesk
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: