freemarker-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Dekany (JIRA)" <>
Subject [jira] [Commented] (FREEMARKER-16) js_string buit-in function escapes '/' for first character
Date Thu, 17 Mar 2016 21:15:33 GMT


Daniel Dekany commented on FREEMARKER-16:

I believe that if the goal is to do Java escaping then JSP attribute escaping (or however
it should be called) then that should be obvious for the reader: {{?j_string?jsp_attribute}}.
Even if {{?j_string?j_string}}-s happen to work if it also escapes {{'}}, the next developer
who looks at the template will not easily understand what's going on. Also, while in your
case escaping `<%`, `${`, etc. is perhaps not necessary, maybe in some other use-cases
it is, and then `?jsp_attribute` could probably work in both your and in the more generic
case. I will have to dig more into this to see.

BTW, why are you (always) using {{<%= %>}} as the JSP attribute value, instead of just
a static string?

(And of course, I hope you don't actually have `?j_string?replace("'", "\\\'")` after each
interpolation, and you just call an FTL function.)

> js_string buit-in function escapes '/' for first character
> ----------------------------------------------------------
>                 Key: FREEMARKER-16
>                 URL:
>             Project: Apache Freemarker
>          Issue Type: Bug
>          Components: engine
>    Affects Versions: 2.3.23
>            Reporter: Martin Těthal
>            Assignee: Daniel Dekany
>            Priority: Minor
> ${"bar/foo"?js_string} returns "bar/foo"
> but
> ${"/foo"?js_string} returns "\/foo" (the first slash character is escaped by backslash).
> I think the problem is from version 2.3.1 as documentation says:
> Starting from FreeMarker 2.3.1, it also escapes > as \> (to avoid </script>).

This message was sent by Atlassian JIRA

View raw message