You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Vimil Saju <vi...@yahoo.com> on 2014/05/02 15:46:12 UTC

regarding escaping of single quotes in attrbutes of html tags

Hi,

I noticed that in version 7.0.53 single quotes in attributes of html tags that are generated using jspx are being escaped with &#039; This was not the case in version 7.0.32. Could someone explain the reason behind this change?

Thanks
Vimil

Re: regarding escaping of single quotes in attrbutes of html tags

Posted by Konstantin Kolinko <kn...@gmail.com>.

2014-05-03 16:26 GMT+04:00 Vimil Saju <vi...@yahoo.com>:
>>The rules:
>>http://tomcat.apache.org/lists.html#tomcat-users
>>6. Do not top-post
>>7. Do not use HTML e-mails
>>
>>As you can see from the above, from HTML point of view there is no difference.
>>
>>
>> onclick=
>>=3D"clicked('Hello')">Hello</a>=0A</body>=0A</html>=0A=0AI was wo=
>>ndering why the single quotes are now being escaped in html output.=0A=0ATh=
>>
>>
>>The change was intentional and is mentioned in changelog.
>>
>>
>>
>> 2) See 'Jasper' section of the changelog, starting with 7.0.43
>> http://tomcat.apache.org/bugreport.html#Changelog
>
> I am sorry about top posting, and using HTML.
> I did read the changelog and this change is mentioned, but there was no explanation regarding why this change was required.

That boils down to what is written in JSP specification.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55198#c5

Unfortunately fixing that issue was not as easy as it could be, with
followup fixes going into 7.0.50, 52, 53 and in upcoming 54.

> Currently we have Jmeter scripts that go through raw HTTP responses and check for the presence of certain strings. These scripts started to fail after we upgraded our tomcat, we have now modified our scripts to look for ' as well as single quotes. I just wanted to know if there was a purpose for this change, I mean was anything broken because single quotes were not escaped?


Single quotes inside of double quotes are not really broken,  but we
are using a function that escapes all special chars (' " & <>)
regardless of context.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: regarding escaping of single quotes in attrbutes of html tags

Posted by Vimil Saju <vi...@yahoo.com>.

>The rules:
>http://tomcat.apache.org/lists.html#tomcat-users
>6. Do not top-post
>7. Do not use HTML e-mails
>
>As you can see from the above, from HTML point of view there is no difference.
>
>
> onclick=
>=3D"clicked('Hello')">Hello</a>=0A</body>=0A</html>=0A=0AI was wo=
>ndering why the single quotes are now being escaped in html output.=0A=0ATh=
>
>
>The change was intentional and is mentioned in changelog.
>
>
>
> 2) See 'Jasper' section of the changelog, starting with 7.0.43
> http://tomcat.apache.org/bugreport.html#Changelog

I am sorry about top posting, and using HTML.
I did read the changelog and this change is mentioned, but there was no explanation regarding why this change was required. 
Currently we have Jmeter scripts that go through raw HTTP responses and check for the presence of certain strings. These scripts started to fail after we upgraded our tomcat, we have now modified our scripts to look for &#039; as well as single quotes. I just wanted to know if there was a purpose for this change, I mean was anything broken because single quotes were not escaped?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: regarding escaping of single quotes in attrbutes of html tags

Posted by Konstantin Kolinko <kn...@gmail.com>.

2014-05-02 21:56 GMT+04:00 Vimil Saju <vi...@yahoo.com>:
> Sorry about not providing an example.
>
> Below is the contents of a jspx file
>
> <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.0">
> <html>
>            <body>
> <a href="#" onclick="clicked('Hello')">Hello</a>
> </body>
> </html>
> </jsp:root>
>
>
>
> In tomcat 7.0.32 the above jspx would generate the following html
> <html>
>            <body>
> <a href="#" onclick="clicked('Hello')">Hello</a>
> </body>
> </html>
>
> However in tomcat 7.0.53 the html generated is
> <html>
>            <body>
> <a href="#" onclick="clicked('Hello')">Hello</a>
> </body>
> </html>

The rules:
http://tomcat.apache.org/lists.html#tomcat-users
6. Do not top-post
7. Do not use HTML e-mails

As you can see from the above, from HTML point of view there is no difference.


> onclick=
=3D"clicked(&#039;Hello&#039;)">Hello</a>=0A</body>=0A</html>=0A=0AI was wo=
ndering why the single quotes are now being escaped in html output.=0A=0ATh=


The change was intentional and is mentioned in changelog.

>
> 2) See 'Jasper' section of the changelog, starting with 7.0.43
> http://tomcat.apache.org/bugreport.html#Changelog

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: regarding escaping of single quotes in attrbutes of html tags

Posted by Vimil Saju <vi...@yahoo.com>.

Sorry about not providing an example.

Below is the contents of a jspx file

<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.0">
<html>
           <body>
<a href="#" onclick="clicked('Hello')">Hello</a>
</body>
</html>
</jsp:root>



In tomcat 7.0.32 the above jspx would generate the following html 
<html>
           <body>
<a href="#" onclick="clicked('Hello')">Hello</a>
</body>
</html>

However in tomcat 7.0.53 the html generated is 
<html>
           <body>
<a href="#" onclick="clicked(&#039;Hello&#039;)">Hello</a>
</body>
</html>

I was wondering why the single quotes are now being escaped in html output.

Thanks
Vimil
On Friday, May 2, 2014 7:14 AM, Konstantin Kolinko <kn...@gmail.com> wrote:
 
2014-05-02 17:46 GMT+04:00 Vimil Saju <vi...@yahoo.com>:

> Hi,
>
> I noticed that in version 7.0.53 single quotes in attributes of html tags that are generated using jspx are being escaped with ' This was not the case in version 7.0.32. Could someone explain the reason behind this change?

1) An example of what happens and what is expected = ?

2) See 'Jasper' section of the changelog, starting with 7.0.43
http://tomcat.apache.org/bugreport.html#Changelog

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: regarding escaping of single quotes in attrbutes of html tags

Posted by Konstantin Kolinko <kn...@gmail.com>.

2014-05-02 17:46 GMT+04:00 Vimil Saju <vi...@yahoo.com>:
> Hi,
>
> I noticed that in version 7.0.53 single quotes in attributes of html tags that are generated using jspx are being escaped with ' This was not the case in version 7.0.32. Could someone explain the reason behind this change?

1) An example of what happens and what is expected = ?

2) See 'Jasper' section of the changelog, starting with 7.0.43
http://tomcat.apache.org/bugreport.html#Changelog

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org