commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benedikt Ritter (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LANG-955) StringEscapeUtils.escapeXml doesn't remove invalid characters
Date Fri, 31 Jan 2014 10:04:09 GMT

    [ https://issues.apache.org/jira/browse/LANG-955?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13887602#comment-13887602
] 

Benedikt Ritter commented on LANG-955:
--------------------------------------

Hello Adam,

{quote}
I differ in that I think most/all users of `escapeXml` think it's doing something that it
isn't actually doing. What's the point of a method called `escapeXml` that you can only use
once you've already mangled your string such that it only contains valid characters? `escapeXml`
as it is today only solves the easy part of a hard problem.
{quote}

I understand your concerns. However if people read the JavaDoc closely before they use the
method (something one should always do ;-) ) there won't be any surprises since it is documented
clearly what one can expect from this method.

{quote}
What about the following:
* `escapeXml`: outputs valid XML 1.0 (which is also valid XML 1.1)
* `escapeXml11`: outputs valid XML 1.1 (which may not be valid XML 1.0)
* `escapeXmlEntities`: current functionality (which, I opine, isn't as useful as the other
two – why use this instead of escapeXml or escapeXml11?)
{quote}

Renaming the method the way you suggested my clarify the functionality it provides, so this
is a good idea imho. To be absolutely clear I would call it {{escapeXml10}}, {{escapeXml11}}
and deprecate the old {{escapeXml}} (to remove it in the next major release). As I said, if
you like to contribute the functionality, go ahead!


> StringEscapeUtils.escapeXml doesn't remove invalid characters
> -------------------------------------------------------------
>
>                 Key: LANG-955
>                 URL: https://issues.apache.org/jira/browse/LANG-955
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.1
>         Environment: Ubuntu 13.10
>            Reporter: Adam Hooper
>              Labels: xml
>             Fix For: Patch Needed
>
>
> escapeXml lets non-text characters pass through into XML files:
> {code}
> scala> org.apache.commons.lang3.StringEscapeUtils.escapeXml("\u0004").codePointAt(0)
> res4: Int = 4
> {code}
> I would expect the result to be an exception -- either from StringEscapeUtils (refusing
to encode it) or, preferably, from String.codePointAt, complaining that the string is empty.
\u0004 is not a valid character in XML 1.0, and there is no way to represent it in an XML
document -- not even by escaping it.
> Wikipedia summarizes the characters that are not allowed in XML -- even after escaping:
http://en.wikipedia.org/wiki/Valid_characters_in_XML. The reason for disallowing them: XML
is a text interchange format, and control characters are not text.
> If StringEscapeUtils.escapeXml allows invalid XML characters through -- whether escaped
or not -- it generates invalid XML. Valid XML parsers will refuse to read such files.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message