shale-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sorina Grave (JIRA)" <>
Subject [jira] Commented: (SHALE-488) Script contents should be enclosed in CDATA section for XML documents
Date Mon, 09 Jun 2008 14:46:05 GMT


Sorina Grave commented on SHALE-488:

I agree that the output of JavaScript to the HtmlWriter should be enclosed within  a CDATA
section for XHTML because the validation for XHTML 1.0 Transitional fails when JavaScript
contains charactes such as "<" or"--".

The problem is actually down to the detection of XHTMLContentType in HtmlRenderUtils - the
list of current content types is checked against the following supported list:

String[] supportedContentTypeArray = new String[]{HTML_CONTENT_TYPE, ANY_CONTENT_TYPE,XHTML_CONTENT_TYPE,

Since the first check and the first element in the list are HTML, the value of _contentType
will be always be set to HTML_CONTENT_TYPE (See selectContentType from
Another problem is that "isAllowedCdataSection" method is also called together with isXHTMLContentType:

I have tried adding to web.xml the the entry corresponding to ALLOW_CDATA_SECTION_ON ("org.apache.myfaces.ResponseWriter.CdataSectionOn")
but it didn't make any difference. Any ideas on how this setting should be used?

this section:


should be replaced by something like this (The decision to write either CDATA section or HTML
comment should be made based on Doctype declared at the top of the page)


I can actually see the value of writer's buffer (after it has appended PageContext) and in
my case, this contains:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">

The document type should be determined by parsing the buffer and it should be used used to
decide whether to write CDATA_START or COMMENT_START.

> Script contents should be enclosed in CDATA section for XML documents
> ---------------------------------------------------------------------
>                 Key: SHALE-488
>                 URL:
>             Project: Shale
>          Issue Type: Improvement
>          Components: Validator
>    Affects Versions: 1.0.4
>         Environment: XML content types, including XHTML
>            Reporter: Jeff Tsay
> When the validator script gets rendered, it outputs raw Javascript inside the <script>

> tags. The Javascript includes characters like & which need to be escaped 
> or in a CDATA section in XML. For XUL or XHTML, this is a problem. I 
> guess that XHTML parsers are more lenient about this so that's why the 
> problem never showed up? Anyway the fix, which was also suggested by 
> Gary VanMatre, was to enclose the script contents in an XML CDATA 
> section. So in 
> src/main/java/org/apache/shale/validator/faces/ I have:
>  private void writeScriptStart(ResponseWriter writer) throws IOException {
>       writer.startElement("script", this);
>       writer.writeAttribute("type", "text/javascript", null);
>       writer.writeAttribute("language", "Javascript1.1", null);
>       writer.write("\n");
>       // jtsay added
>       // Enclose XML in CDATA so special characters can be used without 
> escaping.
>       if (!"text/html".equals(writer.getContentType())) {
>           writer.write("<![CDATA[\n");
>       }
>     }
> and
> private void writeScriptEnd(ResponseWriter writer) throws IOException {
>      // jtsay added
>       if (!"text/html".equals(writer.getContentType())) {
>           writer.write("\n]]>\n");
>       }
>       writer.write("\n");
>       writer.endElement("script");
>    }
> This assumes if we are not rendering text/html, we must be rendering 
> some sort of XML. Sound reasonable?

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message