Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B003A1845F for ; Thu, 19 Nov 2015 10:18:51 +0000 (UTC) Received: (qmail 40925 invoked by uid 500); 19 Nov 2015 10:18:49 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 40785 invoked by uid 500); 19 Nov 2015 10:18:49 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 40755 invoked by uid 99); 19 Nov 2015 10:18:49 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Nov 2015 10:18:49 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 90C75180A2A for ; Thu, 19 Nov 2015 10:18:48 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.12 X-Spam-Level: X-Spam-Status: No, score=-0.12 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 9qddpw8DoNCF for ; Thu, 19 Nov 2015 10:18:38 +0000 (UTC) Received: from mail-ob0-f179.google.com (mail-ob0-f179.google.com [209.85.214.179]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id B7BFF20225 for ; Thu, 19 Nov 2015 10:18:37 +0000 (UTC) Received: by obbbj7 with SMTP id bj7so56264239obb.1 for ; Thu, 19 Nov 2015 02:18:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=bS6TwPX0aQ02GhbLJr40ojz7NDJpQRhWEqrYElConWY=; b=K0QJRLTnhtH7DYWIP6QtpjSX/PMtWCucqF2fisdIU5vtESsX+ctpLhJ353b3v3om/D B0nLMK91SN4X8q58ZepAma/lEuLQ8atRZPNOsEqa1a+P6q2t6Eb7EnOT4a0v7algo+g9 87WCVU64QzU5Jy3je41M11noH4cK/KVdho/2bLFuGfhDNKhoeg6SVHoLVnjqzXr3cW7e rJJNAjqnvxBKGCWBYGlup7XtrN+wNZ5lvf6yrra6tXwHEb5M0+14q+PXffpJHGHbcO9s CZDrVv1Y6iVR4iRVietmNnfLkI3fdNx6TzvVeY+LeZQ9dELT2SZglKg9YdZ9rAbXWKcu n25w== MIME-Version: 1.0 X-Received: by 10.182.165.131 with SMTP id yy3mr4567975obb.49.1447928317054; Thu, 19 Nov 2015 02:18:37 -0800 (PST) Received: by 10.202.2.136 with HTTP; Thu, 19 Nov 2015 02:18:36 -0800 (PST) In-Reply-To: References: <563B17D7.9070800@apache.org> <563B228F.2070308@apache.org> <563C9358.3070602@christopherschultz.net> <563C9910.9020608@apache.org> Date: Thu, 19 Nov 2015 13:18:36 +0300 Message-ID: Subject: Re: On escaping of EL in attributes (BZ 57136) From: Konstantin Kolinko To: Tomcat Developers List Content-Type: text/plain; charset=UTF-8 2015-11-09 17:35 GMT+03:00 Konstantin Kolinko : > 2015-11-06 15:12 GMT+03:00 Mark Thomas : >> On 06/11/2015 11:47, Christopher Schultz wrote: >>> On 11/5/15 4:34 AM, Mark Thomas wrote: >>>> On 05/11/2015 08:48, Mark Thomas wrote: > > <...> > >>>> At this point, I don't see a clear argument one way or the other. >>>> >>>> I've looked through the open JSP spec issues: >>>> https://java.net/jira/browse/JSP_SPEC_PUBLIC >>>> >>>> and I don't see anything for this. I do see a lot of very old issues >>>> that don't appear to have been looked at for some time. >>>> >>>> Given the lack of clarity of the which behaviour is correct, I think we >>>> have little choice but to make this optional and that we should get this >>>> done before the next 8.0.x release. I intend to start working on that in >>>> trunk today. >>> > > <...> > >> If we did have the TCK we could challenge it again (on the grounds the >> spec was never updated so surely that must mean the spec is right and >> the TCK is wrong) >> >>> On the other hand, nobody ready the TCK... only the spec. >> >> Indeed. >> >>> So most users will expect form 2. >> >> If they read the spec carefully enough (and to be fair it took me >> several days of reading and re-reading the relevant bits to get to the >> point I was happy that I understood what it meant) they should expect >> form 1. >> > > > If I were in the footwear of somebody who implements a web application > that has to run on all web containers implementing the specification, > my position will be: > > All I would care is that all web containers implement this part of > specification in the same way. In this case I can "write once, run > everywhere", which is usually expected of Java. > > If this is enforced not through the text of the document, but through > the TCK, it is a pity (and a shame on spec leader), but it solves my > problem. > > > It is unlikely that some test were removed from TCK unless spec leader > officially allows undefined behaviour across different > implementations. As such, testing this example in an alternate > implementation (e.g. RI) will make a guess on what behaviour is > expected here. (Maybe somebody on users list would like to do > testing). > > > That aside, > as I mention in BZ 57136, form 2 (double escaping) provides better > historical compatibility with pre-EL use of tag libraries (JSTL 1.0 / > JSP 1.2 version of EL). > > form 1 (single escaping) is easier to read and write and provides > uniformity across using EL in template text and EL in tags. > > > Syntax hiliting in Eclipse IDE (4.4.2 Luna SR2) breaks at current > /tomcat-7.0.x/test/webapp-3.0/el-method.jsp (form 1). I have not yet > upgraded to current Mars 4.5[.1] to test it there. I attached sample web application to the issue, https://bz.apache.org/bugzilla/show_bug.cgi?id=57136#c31 Testing with Glassfish 4.1.1, it also expects double escaping. I am not a user of Glassfish, so I do not know yet what configuration options are there if this feature is configurable. === My steps: 1. Follow https://glassfish.java.net/download.html and download glassfish-4.1.1-web.zip 2. After unzipping GF, copy test.war into glassfish4/glassfish/domains/domain1/autodeploy/ 3. Start it cd glassfish4/bin asadmin start-domain 4. Open the page in browser http://localhost:8080/test/ Page with double escaped variant works. Page with no double escaping fails: org.apache.jasper.JasperException: /test1.jsp(27,66) PWC6031: Unterminated <c:if tag (GRRR: It is not Apache Jasper. They were lazy to rename the package and are abusing the trademarks...) 5. Stop it cd glassfish4/bin asadmin stop-domain === As such, I think the default value of "quoteAttributeEL" option in Jasper shall be changed to "true". The same in JspC, where it would need a "-no-quoteAttributeEL" command line option. BTW, jasper-howto.xml already documents that the default is true, which does not match the code. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org