tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 55735] New: Additional quote entity in html element attribute evaluated in tagx if attribute contains EL expression
Date Sat, 02 Nov 2013 06:14:56 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=55735

            Bug ID: 55735
           Summary: Additional quote entity in html element attribute
                    evaluated in tagx if attribute contains EL expression
           Product: Tomcat 7
           Version: 7.0.47
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Jasper
          Assignee: dev@tomcat.apache.org
          Reporter: azuo.lee@sohu.com

Well, after fix for Bug 55198, if a tag file contains
<a href="#" onclick="window.alert(&quot;${text}&quot;)">foobar</a>
It can now be correctly rendered as (if text='foobar')
<a href="#" onclick="window.alert(&quot;foobar&quot;)">foobar</a>

But, It is rendered completely wrongly as ***** IF text='&amp;foobar' *****
<a href="#" onclick="window.alert(&quot;&amp;amp;foobar&quot;)">foobar</a>

The EL expression ${text} should be rendered without any escape, but now it is
escaped just as other literal part in the attribute.

Generally, a tagx file's compiler must not make any assumption that it's output
is a well-formed XML or not, it should just keep the literal atrribute or text
as is, and output any EL expression directly. It's the tagx file's author's
reponsibility to determine whether a text variable should be escaped, e.g.:
<a href="#" onclick="window.alert(&quot;${fn:escape(text)}&quot;)">foobar</a>

Suppose we have:
request.setAttribute("text", "2 &gt; 1");
And in a tagx file:
<div title="&quot;${text}&quot;">&quot;${text}&quot;</div>

The correct output could be:
<div title="&quot;2 &gt; 1&quot;">&quot;2 &gt; 1&quot;</div>

But neither
<div title="&quot;2 &amp;gt; 1&quot;">&quot;2 &gt; 1&quot;</div>

nor
<div title=""2 > 1"">&quot;2 &gt; 1&quot;</div>

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message