struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yasser Zamani (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4742) Problem with escape when the key from getText has no value
Date Sat, 11 Mar 2017 11:57:04 GMT

    [ https://issues.apache.org/jira/browse/WW-4742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15906174#comment-15906174
] 

Yasser Zamani commented on WW-4742:
-----------------------------------

Reviewing common-lang showed me that escapeEcmaScript is not for escape from script injection
but is for escaping an ecma string that can be used inside an ecma string! below is it's doc:
{code}
    /**
     * <p>Escapes the characters in a {@code String} using EcmaScript String rules.</p>
     * <p>Escapes any values it finds into their EcmaScript String form.
     * Deals correctly with quotes and control-chars (tab, backslash, cr, ff, etc.) </p>
     *
     * <p>So a tab becomes the characters {@code '\\'} and
     * {@code 't'}.</p>
     *
     * <p>The only difference between Java strings and EcmaScript strings
     * is that in EcmaScript, a single quote and forward-slash (/) are escaped.</p>
     *
     * <p>Note that EcmaScript is best known by the JavaScript and ActionScript dialects.
</p>
     *
     * <p>Example:</p>
     * <pre>
     * input string: He didn't say, "Stop!"
     * output string: He didn\'t say, \"Stop!\"
     * </pre>
     *
     * @param input  String to escape values in, may be null
     * @return String with escaped values, {@code null} if null string input
     *
     * @since 3.0
     */
{code}

> Problem with escape when the key from getText has no value
> ----------------------------------------------------------
>
>                 Key: WW-4742
>                 URL: https://issues.apache.org/jira/browse/WW-4742
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Tags
>    Affects Versions: 2.5.8, 2.5.10
>            Reporter: Mateus Carvalho
>            Assignee: Lukasz Lenart
>            Priority: Minor
>             Fix For: 2.5.next
>
>
> When using an encoding like ISO-8859-1 and having the following situation:
> {code:title=message.ftl|borderStyle=solid}
> ...
> <@s.text name="Obrigatório - not mapped word in any dictionary" />
> ...
> {code}
> We have the following output after update 2.5.8:
> {code}
> Obrigat\u00F3rio - not mapped word in any dictionary
> {code}
> After careful look at the source code and issues from the 2.5.8 I found the problem happens
just in one added line on WW-4712, the following part of the code:
> {code:title=TextProviderHelper.java|borderStyle=solid}
> ...
> public static String getText(String key, String defaultMessage, List<Object> args,
ValueStack stack, boolean searchStack) {
> ...
> //This escape causes the problem
> msg = StringEscapeUtils.escapeEcmaScript(msg);
> ...
> }
> ...
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message