commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Garrett Smith" <dhtmlkitc...@gmail.com>
Subject Re: isEscaped
Date Wed, 03 Sep 2008 18:33:02 GMT
On Wed, Sep 3, 2008 at 7:56 AM, Niall Pemberton
<niall.pemberton@gmail.com> wrote:
> On Tue, Sep 2, 2008 at 7:28 PM, Gabriel Reis <bielmooca@gmail.com> wrote:
>> Hi,
>>
>> Is there any tool to verify if a String is escaped? Something like this:
>>

"Escaped HTML" would be HTML that contains no unescaped HTML entities.

>> assertFalse( StringEscapeUtils.isHtmlEscaped("<b>text</b>") );
>>

This example:

>> assertTrue( StringEscapeUtils.isHtmlEscaped("&lt;b&gt;text&lt;/b&gt;")
);
>
 - is flawed.

The flaw is searching for unescaped entities, not searching for no
unescaped entities.

It is a very basic logical fallacy called "Affirming the Consequent".

Example:
1. Escaped HTML contains escaped HTML Entities.
2. String S contains escaped HTML entities.
3. Therefore, String S is Escaped HTML.

We can also see that there is another fallacy here: A generalization
fallacy in (1). Escaped HTML contains escaped HTML Entities is not a
universal truth. If we change (1) to:-

 "Escaped HTML usually contains HTML Entities"

- then we can easily see that (3) would not be implied unless we changed to:-

1. Escaped HTML *usually* contains escaped HTML Entities.
2. String S contains escaped HTML entities.
3. Therefore, String S is *probably* Escaped HTML.

But then we still have the ""Affirming the Consequent" error, because
it could be statistically possible that the application we are testing
deals with a lot of HTML code examples like:-

 To make text bold, use the &lt;b&gt; tag.

> Perhaps one way to do this is to use the StringEscapeUtils's
> unescapeHtml() method and compare if the result equals the original.
>
> something like...
>
> if (value.equals(StringEscapeUtils.unescapeHtml(value))) {
>    ...
> }
>

Method unescapeHTML converts escaped entities to the unescaped character.

That would not work.

Because:-
  boolean isEscaped;
  String value = "Use this HTML: '&lt;b&gt;text&lt;/b&gt;'";
  isEscaped = value.equals(StringEscapeUtils.unescapeHTML(value));

isEscaped would be false.

So, I think that Tim is probably getting at the problem better by
asking: "What is the end goal?".

And the OP has been silent.

Garrett

> http://commons.apache.org/lang/api-release/org/apache/commons/lang/StringEscapeUtils.html#unescapeHtml(java.lang.String)
>
> Niall
>
>> []s
>> Gabriel
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org


Mime
View raw message