Search code examples
thymeleafcas

Workaround for #request.getParameters() in Thymeleaf

We are using CAS 5.2.3 which uses an upgraded version of Thymeleaf. Thymeleaf has restricted access to certain request features - '#request.getParameters()' being one. Is there any work around for it? I am getting the following error when trying to access it - "Access to request parameters is forbidden in this context. Note some restrictions apply to variable access. For example, direct access to request parameters is forbidden in preprocessing and unescaped expressions, in TEXT template mode, in fragment insertion specifications and in some specific attribute processors."

Solution

  • Good question. I face this problem a few months before, it is solvable.

    After looking through their source code, I found that they are limiting the usage of #request.getParameters() only on specific tag, they didn't forbid to use #request.getParameters() in some situation.

    In my use case, I am able to use CData to bypass this checking. Not sure whether it applies to your use case since you didn't provide any code example....

    Anyway, the below example want to redirect user to another page, based on the parameter url

    Here's an sample code that was broken in CAS 5.2.x, but worked in CAS 5.1.x :

    <html>
<head>
<title> Deforestation </title>
</head>
<body th:attr="onload='window.location.href=\''+${#request.getParameter('url')}+'\''">
</body>
</html>

    Here's a work around code:

    <html>
<head>
<title> Deforestation </title>
</head>
<body>

Logging out. Please wait...

<script th:inline="javascript">
/*<![CDATA[*/
    location.href = /*[[( ${#request.getParameter('url')} )]]*/ ;
/*]]>*/
</script>
</body>
</html>

    If this didn't solve your problem, please provide your source code so we can have a better look at the problem.

    Note: There is a security reason why this stuff is now banned, using this workaround might compromise the security standard, do remember to sanitize the user input if neccesary

    Edit:

    as per comment, although not elegant, maybe something like the following will work?

    <html>
<head>
<title> Data attribute </title>
</head>
<body>

<span id="foobarid"> </span>

<script th:inline="javascript">
/*<![CDATA[*/
    $('#foobarid').data('foo-bar',/*[[( ${#request.getParameter('foo') == 'bar'} )]]*/); 
/*]]>*/
</script>
</body>
</html>