[ https://issues.apache.org/jira/browse/LANG-439?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12603482#action_12603482 ] Henri Yandell commented on LANG-439: ------------------------------------ I thought we'd hit this for escapeXml before and the spec said that such characters were not escaped. > StringEscapeUtils.escapeHTML() does not escape chars (0x00-0x20) > ---------------------------------------------------------------- > > Key: LANG-439 > URL: https://issues.apache.org/jira/browse/LANG-439 > Project: Commons Lang > Issue Type: Bug > Affects Versions: 2.4 > Environment: java5 > Reporter: Pavel Sivolobtchik > Fix For: 3.0 > > > I encountered this problem when I sent html from the server to a client using AjaxRequest. HTML was escaped wrapped in CDATA. I thought it was pretty safe. See my xml fragment below: > //------------------------------------------------------------------------------------------ > > > >
> May 29 10:48:29 rdia643 su: - 2 nitroqa-nss
> ]]> >
>
> //------------------------------------------------------------------------------------------ > However in FF2 there was js error: > //-------------------------------------------------------------------------------------------- > Error: not well-formed > Source Code: > May 29 10:48:29 rdia643 su: - 2 nitroqa-nss -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------^ > I figured out that StringEscapeUtils.escapeHTML() did not escape one of the characters. it was a '\b'(ascii 8). > I had to change to org.apache.commons.lang.Entities.excape() method: > public void escape(Writer writer, String str) throws IOException { > int len = str.length(); > for (int i = 0; i < len; i++) { > char c = str.charAt(i); > String entityName = this.entityName(c); > if (entityName == null) { > if (c < 0x20 || c > 0x7F) { > writer.write("&#"); > writer.write(Integer.toString(c, 10)); > writer.write(';'); > } > else { > writer.write(c); > } > } > else { > writer.write('&'); > writer.write(entityName); > writer.write(';'); > } > } > } > //--------------------------------------------------------------------------------------- > It can be tested with unittest: > import java.io.Reader; > import java.io.StringReader; > import junit.framework.TestCase; > import org.apache.commons.lang.StringEscapeUtils; > import org.jdom.input.SAXBuilder; > public class StringEscapeUtilsTest extends TestCase { > public void testPR73092() throws Exception { > StringBuilder test = new StringBuilder(50); > for (int i = 0; i <= 50; i++) { > test.append((char)i); > } > StringBuilder result = new StringBuilder("\n result.append(StringEscapeUtils.escapeHtml(test.toString())); > result.append("\n]]>\n\n"); > validate(new StringReader(result.toString())); > result = new StringBuilder("\n result.append(test.toString()); > result.append("\n]]>\n\n"); > try { > validate(new StringReader(result.toString())); > fail("expected to blow up"); > } > catch (Exception e) { > // > } > } > /** make sure that xml is well-formed */ > private static void validate(Reader xmlSource) throws Exception { > SAXBuilder saxBuilder = new SAXBuilder(); > saxBuilder.build(xmlSource); > } > } -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.