Uploaded image for project: '[Read Only] - Hippo Site Toolkit 2'
  1. [Read Only] - Hippo Site Toolkit 2
  2. HSTTWO-3897

Disallow GET requests for actionURLs

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 4.1.0, 13.4.1
    • Fix Version/s: 13.4.2, 14.0.0, 14.1.0
    • Component/s: None
    • Flagged:
      Flagged
    • Processed by team:
      Puma
    • Sprint:
      Puma Sprint 226

      Description

      If the URL as rendered by the <hst:actionURL /> tag is performed as GET request (e.g. by calling the URL from the browser), the components doAction() method is called.

      This is unexpected and probably not desirable: we recommend using POSTs for action URLs in [1].

      Note that for <form> elements with a method=get atribute, a submit will not lead to calling doAction() because the _hn:type=action parameter is not present in the request (only form parameters are sent).

      [1] https://documentation.bloomreach.com/library/concepts/component-development/hst-2-forms.html

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              jhoffman Jeroen Hoffman
              Owner:
              Hippo Helpdesk Hippo Helpdesk
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: