You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Hendy Irawan (JIRA)" <ji...@apache.org> on 2014/03/06 06:25:46 UTC
[jira] [Commented] (WICKET-5524) JavaScriptUtils.escapeQuotes()
does not escape \
[ https://issues.apache.org/jira/browse/WICKET-5524?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13922026#comment-13922026 ]
Hendy Irawan commented on WICKET-5524:
--------------------------------------
BTW, how does Wicket itself use {{escapeQuotes()}} ? If it's used to escape user input for use in JavaScript, I imagine the result is not always intended.
Our use case is to put arbitrary variable contents inside a JavaScript string. It may contain anything, from harmless backslashes {{C:\Program Files}} to perhaps hacking attempts from people trying to do script injection.
Previously we're using {{JavaScriptUtils.escapeQuotes()}} but since we can't use it now, we probably will use Jackson but it seems heavyweight for our "simple" case.
> JavaScriptUtils.escapeQuotes() does not escape \
> ------------------------------------------------
>
> Key: WICKET-5524
> URL: https://issues.apache.org/jira/browse/WICKET-5524
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 6.13.0
> Reporter: Mahendri Winata
>
> We tried to use JavaScriptUtils.escapeQuotes like this:
> {code}
> @Override
> protected void updateAjaxAttributes(AjaxRequestAttributes attributes) {
> attributes.getAjaxCallListeners().add(new AjaxCallListener() {
> @Override
> public CharSequence getPrecondition(Component component) {
> return "return confirm('Anda yakin menghapus Cart " +
> JavaScriptUtils.escapeQuotes(item.getModel().getObject().getPerson().getName()) + " ini?')";
> }
> });
> super.updateAjaxAttributes(attributes);
> }
> {code}
> However this fails when the input is: (notice the backslash)
> {{Ulin Ni\'mah}}
> Because the output will be:
> {{Ulin Ni\\'mah}}
> {{escapeQuotes()}} should also escape backslashes in addition to quotes, so it is directly usable for writing JavaScript strings from arbitrary input.
--
This message was sent by Atlassian JIRA
(v6.2#6252)