axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Daniels <gdani...@macromedia.com>
Subject RE: cvs commit: xml-axis/java/src/org/apache/axis/transport/http AxisServlet.java
Date Sat, 01 Feb 2003 22:47:59 GMT

Actually, I don't think everything should be escaped all the time, really I don't. :)

I think there should be dumpToString() and dumpToSafeString(), i.e. two different methods
for two different bits of functionality, rather than an overload with a flag.

When not in an HTML/browser context (i.e. when debugging on the console, for instance) it
isn't much use to escape the string, IMHO.

--Glen

> -----Original Message-----
> From: stevel@apache.org [mailto:stevel@apache.org]
> Sent: Saturday, February 01, 2003 4:03 PM
> To: xml-axis-cvs@apache.org
> Subject: cvs commit: xml-axis/java/src/org/apache/axis/transport/http
> AxisServlet.java
> 
> 
> stevel      2003/02/01 13:03:01
> 
>   Modified:    java/src/org/apache/axis AxisFault.java
>                java/src/org/apache/axis/transport/http 
> AxisServlet.java
>   Log:
>   changing how we escape xml in dump to string, as per Glen's -0:
>   
>   -there is only one dumpToString() method; everything gets escaped
>   -so AxisServlet reverts to calling the single method.
>   
>   Revision  Changes    Path
>   1.70      +8 -23     
> xml-axis/java/src/org/apache/axis/AxisFault.java
>   
>   Index: AxisFault.java
>   ===================================================================
>   RCS file: 
> /home/cvs/xml-axis/java/src/org/apache/axis/AxisFault.java,v
>   retrieving revision 1.69
>   retrieving revision 1.70
>   diff -u -r1.69 -r1.70
>   --- AxisFault.java	25 Jan 2003 19:28:01 -0000	1.69
>   +++ AxisFault.java	1 Feb 2003 21:03:01 -0000	1.70
>   @@ -303,22 +303,14 @@
>            log.debug(dumpToString());
>        }
>    
>   -    /**
>   -     * turn the fault and details into a string
>   -     * @return stringified fault details
>   -     */
>   -    public String dumpToString() {
>   -        return dumpToString(true);
>   -    }
>    
>        /**
>   -     * turn the fault and details into a string, with or 
> without XML escaping.
>   +     * turn the fault and details into a string, with XML escaping.
>         * subclassers: for security (cross-site-scripting) reasons, 
>         * escape everything that could contain caller-supplied data. 
>   -     * @param escapeText flag to control whether to XML 
> escape everything
>         * @return stringified fault details
>         */
>   -    public String dumpToString(boolean escapeText)
>   +    public String dumpToString()
>        {
>            String details = new String();
>    
>   @@ -345,22 +337,15 @@
>                for (int i = 0; i < faultSubCode.size(); i++) {
>                    subCodes += JavaUtils.LS
>                                + (QName)faultSubCode.elementAt(i);
>   -
>                }
>            }
>   -        String code=faultCode.toString();
>   -        String errorString=faultString;
>   -        String actor=faultActor;
>   -        String node=faultNode;
>   +        //encode everything except details and subcodes, 
> which are already
>   +        //dealt with one way or another.
>   +        String code= 
> XMLUtils.xmlEncodeString(faultCode.toString());
>   +        String errorString= XMLUtils.xmlEncodeString(faultString);
>   +        String actor= XMLUtils.xmlEncodeString(faultActor);
>   +        String node= XMLUtils.xmlEncodeString(faultNode);
>    
>   -        if (escapeText) {
>   -            //encode everything except details and 
> subcodes, which are already
>   -            //dealt with one way or another.
>   -            code= XMLUtils.xmlEncodeString(code);
>   -            errorString = XMLUtils.xmlEncodeString(errorString);
>   -            actor= XMLUtils.xmlEncodeString(actor);
>   -            node = XMLUtils.xmlEncodeString(node);
>   -        }
>    
>            return "AxisFault" + JavaUtils.LS
>                + " faultCode: " + code + JavaUtils.LS
>   
>   
>   
>   1.158     +1 -1      
> xml-axis/java/src/org/apache/axis/transport/http/AxisServlet.java
>   
>   Index: AxisServlet.java
>   ===================================================================
>   RCS file: 
> /home/cvs/xml-axis/java/src/org/apache/axis/transport/http/Axi
> sServlet.java,v
>   retrieving revision 1.157
>   retrieving revision 1.158
>   diff -u -r1.157 -r1.158
>   --- AxisServlet.java	25 Jan 2003 19:28:01 -0000	1.157
>   +++ AxisServlet.java	1 Feb 2003 21:03:01 -0000	1.158
>   @@ -419,7 +419,7 @@
>        private void writeFault(PrintWriter writer, AxisFault 
> axisFault) {
>            String localizedMessage = 
> XMLUtils.xmlEncodeString(axisFault.getLocalizedMessage());
>            writer.println("<pre>Fault - " + localizedMessage 
> + "<br>");
>   -        writer.println(axisFault.dumpToString(true));
>   +        writer.println(axisFault.dumpToString());
>            writer.println("</pre>");
>        }
>        
>   
>   
>   
> 

Mime
View raw message