shale-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sorina Grave (JIRA)" <j...@apache.org>
Subject [jira] Commented: (SHALE-488) Script contents should be enclosed in CDATA section for XML documents
Date Mon, 09 Jun 2008 14:46:05 GMT

    [ https://issues.apache.org/struts/browse/SHALE-488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=44089#action_44089
] 

Sorina Grave commented on SHALE-488:
------------------------------------

I agree that the output of JavaScript to the HtmlWriter should be enclosed within  a CDATA
section for XHTML because the validation for XHTML 1.0 Transitional fails when JavaScript
contains charactes such as "<" or"--".

The problem is actually down to the detection of XHTMLContentType in HtmlRenderUtils - the
list of current content types is checked against the following supported list:

String[] supportedContentTypeArray = new String[]{HTML_CONTENT_TYPE, ANY_CONTENT_TYPE,XHTML_CONTENT_TYPE,
APPLICATION_XML_CONTENT_TYPE, TEXT_XML_CONTENT_TYPE};

Since the first check and the first element in the list are HTML, the value of _contentType
will be always be set to HTML_CONTENT_TYPE (See selectContentType from HtmlRenderUtils.java).
Another problem is that "isAllowedCdataSection" method is also called together with isXHTMLContentType:

I have tried adding to web.xml the the entry corresponding to ALLOW_CDATA_SECTION_ON ("org.apache.myfaces.ResponseWriter.CdataSectionOn")
but it didn't make any difference. Any ideas on how this setting should be used?

this section:

if(isScriptOrStyle())
{
   if(HtmlRendererUtils.isXHTMLContentType(_contentType))
   {
      if(HtmlRendererUtils.isAllowedCdataSection(FacesContext.getCurrentInstance()))
      {
          _writer.write(CDATA_START);
      }
   }
   else
   {
   _writer.write(COMMENT_START);
   }
}

should be replaced by something like this (The decision to write either CDATA section or HTML
comment should be made based on Doctype declared at the top of the page)

if(isScriptOrStyle())
{
   if(HtmlRendererUtils.isXHTMLDocType(pageContext))
   {
      _writer.write(CDATA_START);                
   }
   else
    {
       _writer.write(COMMENT_START);
   }
}

I can actually see the value of writer's buffer (after it has appended PageContext) and in
my case, this contains:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

The document type should be determined by parsing the buffer and it should be used used to
decide whether to write CDATA_START or COMMENT_START.


> Script contents should be enclosed in CDATA section for XML documents
> ---------------------------------------------------------------------
>
>                 Key: SHALE-488
>                 URL: https://issues.apache.org/struts/browse/SHALE-488
>             Project: Shale
>          Issue Type: Improvement
>          Components: Validator
>    Affects Versions: 1.0.4
>         Environment: XML content types, including XHTML
>            Reporter: Jeff Tsay
>
> When the validator script gets rendered, it outputs raw Javascript inside the <script>

> tags. The Javascript includes characters like & which need to be escaped 
> or in a CDATA section in XML. For XUL or XHTML, this is a problem. I 
> guess that XHTML parsers are more lenient about this so that's why the 
> problem never showed up? Anyway the fix, which was also suggested by 
> Gary VanMatre, was to enclose the script contents in an XML CDATA 
> section. So in 
> src/main/java/org/apache/shale/validator/faces/ValidatorScript.java I have:
>  private void writeScriptStart(ResponseWriter writer) throws IOException {
>       writer.startElement("script", this);
>       writer.writeAttribute("type", "text/javascript", null);
>       writer.writeAttribute("language", "Javascript1.1", null);
>       writer.write("\n");
>      
>       // jtsay added
>       // Enclose XML in CDATA so special characters can be used without 
> escaping.
>       if (!"text/html".equals(writer.getContentType())) {
>           writer.write("<![CDATA[\n");
>       }
>     }
> and
> private void writeScriptEnd(ResponseWriter writer) throws IOException {
>      // jtsay added
>       if (!"text/html".equals(writer.getContentType())) {
>           writer.write("\n]]>\n");
>       }
>          
>       writer.write("\n");
>       writer.endElement("script");
>    }
> This assumes if we are not rendering text/html, we must be rendering 
> some sort of XML. Sound reasonable?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message