commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pavel Sivolobtchik (JIRA)" <j...@apache.org>
Subject [jira] Created: (LANG-439) StringEscapeUtils.escapeHTML() does not escape chars (0x00-0x20)
Date Fri, 30 May 2008 14:16:45 GMT
StringEscapeUtils.escapeHTML() does not escape chars (0x00-0x20)
----------------------------------------------------------------

                 Key: LANG-439
                 URL: https://issues.apache.org/jira/browse/LANG-439
             Project: Commons Lang
          Issue Type: Bug
    Affects Versions: 2.4
         Environment: java5
            Reporter: Pavel Sivolobtchik
             Fix For: 2.4


I encountered this problem when I sent html from the server to a client using AjaxRequest.
HTML was escaped wrapped in CDATA. I thought it was pretty safe. See my xml fragment below:
//------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<ajax-fragment>
<html-rows>
<![CDATA[
<div style="padding-left: 1px;" class="columnContent4  column4">
<span  column-id="Message"  class="cellContent"  onmouseover="w12450823.onDwell(event);
w12450823.onCellSelectionOnMouseOver(event);"  onclick="w12450823.onCellSelectionOnClick(event)"
 >May 29 10:48:29 rdia643 su: - 2 nitroqa-nss</span></div>
]]>
</html-rows>
</ajax-fragment>
//------------------------------------------------------------------------------------------
However in FF2 there was js error:
//--------------------------------------------------------------------------------------------

Error: not well-formed
Source Code:
<span  column-id="Message"  class="cellContent "  onmouseover="w12450823.onDwell(event);
w12450823.onCellSelectionOnMouseOver(event); " onclick="w12450823.onCellSelectionOnClick(event)"
 >May 29 10:48:29 rdia643 su: - 2 nitroqa-nss</span></div
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------^
I figured out that StringEscapeUtils.escapeHTML() did not escape one of the characters. it
was a '\b'(ascii 8).
I had to change to org.apache.commons.lang.Entities.excape() method:
public void escape(Writer writer, String str) throws IOException {
	int len = str.length();
	for (int i = 0; i < len; i++) {
		char c = str.charAt(i);
		String entityName = this.entityName(c);
		if (entityName == null) {
			if (c < 0x20 || c > 0x7F) {
				writer.write("&#");
				writer.write(Integer.toString(c, 10));
				writer.write(';');
			}
			else {
				writer.write(c);
			}
		}
		else {
			writer.write('&');
			writer.write(entityName);
			writer.write(';');
		}
	}
}

//---------------------------------------------------------------------------------------
It can be tested with unittest:
assertEquals("abc&#8;", StringEscapeUtils.escapeHtml("abc\b"));

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message