freemarker-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Dekany (JIRA)" <>
Subject [jira] [Commented] (FREEMARKER-16) js_string buit-in function escapes '/' for first character
Date Mon, 14 Mar 2016 18:43:33 GMT


Daniel Dekany commented on FREEMARKER-16:

But if you do that, then the inserted value has to be escaped first with Java string escaping,
and then with JSP attribute value escaping. The trick you recommend works for escaping {{'}}
because Java doesn't need that to be escaped (though only as far as you don't have Java character
literals). But what if the string to insert contains {{"}}? That has to be escaped like {{\\\"}}
(that's 3 backslashes) in the context you show. This stands even if you quote the JSP attribute
with {{'}}, as JSP will still un-escape the {{\"}} to {{"}} before the Java compiler could
see the string literal, and hence you end up with an uncompilable JSP.

> js_string buit-in function escapes '/' for first character
> ----------------------------------------------------------
>                 Key: FREEMARKER-16
>                 URL:
>             Project: Apache Freemarker
>          Issue Type: Bug
>          Components: engine
>    Affects Versions: 2.3.23
>            Reporter: Martin Těthal
>            Assignee: Daniel Dekany
>            Priority: Minor
> ${"bar/foo"?js_string} returns "bar/foo"
> but
> ${"/foo"?js_string} returns "\/foo" (the first slash character is escaped by backslash).
> I think the problem is from version 2.3.1 as documentation says:
> Starting from FreeMarker 2.3.1, it also escapes > as \> (to avoid </script>).

This message was sent by Atlassian JIRA

View raw message