tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 62825] New: JSP inline javeascript backslash miss escaping in single quote string values
Date Mon, 15 Oct 2018 06:13:52 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=62825

            Bug ID: 62825
           Summary: JSP inline javeascript backslash miss escaping in
                    single quote string values
           Product: Tomcat 8
           Version: 8.5.27
          Hardware: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Jasper
          Assignee: dev@tomcat.apache.org
          Reporter: isalister@ust.hk
  Target Milestone: ----

Created attachment 36198
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36198&action=edit
Contains the source jsp inline javascript file, the result parsing javascript
source in Chrome developer mode and the generated jsp java file.

The inline javascript in jsp suppose should have the same javascript source as
plain javascript in a non-jsp page (ex. html).

But when there is a backslash value '\\' value in a jsp page, after the jsp
engine parsing the output jsp java file didn't escape the backslash value in
the single quote string value, the incorrect result is "...'\\'...", while the
correct result should be "...'\\\\'...".

Steps to reproduce:
1) Create a index.jsp file add the following javascript code:
<script>
console.log('^?123'.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g, '\\$&');
<script>

2) Open the generated jsp java file, the result parsing is as follows:
...
out.write("console.log('^?123'.replace(/[\\-\\[\\]\\/\\{\\}\\(\\)\\*\\+\\?\\.\\\\\\^$\\|]/g,
'\\$&') + '(.*)');\r\n");
...

3) The correct generated jsp java file, should be as follows:
...
out.write("console.log('^?123'.replace(/[\\-\\[\\]\\/\\{\\}\\(\\)\\*\\+\\?\\.\\\\\\^$\\|]/g,
'\\\\$&') + '(.*)');\r\n");
...

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message