commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Gregory (JIRA)" <j...@apache.org>
Subject [jira] Updated: (LANG-363) StringEscapeUtils.escapeJavaScript() method did not escape '/' into '\/', it will make IE render page uncorrectly
Date Thu, 03 Apr 2008 13:22:24 GMT

     [ https://issues.apache.org/jira/browse/LANG-363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Gary Gregory updated LANG-363:
------------------------------

    Summary: StringEscapeUtils.escapeJavaScript() method did not escape '/' into '\/', it
will make IE render page uncorrectly  (was: StringEscapeUtils..escapeJavaScript() method did
not escape '/' into '\/', it will make IE render page uncorrectly)

fix typo in summary field

> StringEscapeUtils.escapeJavaScript() method did not escape '/' into '\/', it will make
IE render page uncorrectly
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: LANG-363
>                 URL: https://issues.apache.org/jira/browse/LANG-363
>             Project: Commons Lang
>          Issue Type: Bug
>    Affects Versions: 2.3
>         Environment: JDK1.5 + commons-lang-2.3.jar + IE 6.0
>            Reporter: Situ Chenghao
>            Priority: Minor
>             Fix For: 2.4
>
>         Attachments: patch.txt
>
>
> If Javascripts including'/', IE will parse the scripts uncorrectly, actually '/' should
be escaped to '\/'.
> For example, document.getElementById("test").value = '<script>alert(\'aaa\');</script>';this
expression will make IE render page uncorrect, it should be document.getElementById("test").value
= '<script>alert(\'aaa\');<\/script>';
> Btw, Spring's JavascriptEscape behavor is correct.
> Try  to run below codes, you will find the difference:
>   String s = "<script>alert('aaa');</script>";
>   String str = org.springframework.web.util.JavaScriptUtils.javaScriptEscape(s);
>   System.out.println("Spring JS Escape : "+str);
>   str = org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(s);
>   System.out.println("Apache Common Lang JS Escape : "+ str);

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message