You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Karl Heinz Marbaise (JIRA)" <ji...@apache.org> on 2018/07/31 18:28:00 UTC
[jira] [Commented] (MNG-6435) DefaultSettingsBuilder assumes all
SettingsReader/Writer impls will use XML
[ https://issues.apache.org/jira/browse/MNG-6435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16564130#comment-16564130 ]
Karl Heinz Marbaise commented on MNG-6435:
------------------------------------------
Can you please give an example where this could harm someone?
> DefaultSettingsBuilder assumes all SettingsReader/Writer impls will use XML
> ---------------------------------------------------------------------------
>
> Key: MNG-6435
> URL: https://issues.apache.org/jira/browse/MNG-6435
> Project: Maven
> Issue Type: Bug
> Components: Settings
> Affects Versions: 3.5.3
> Reporter: Laird Nelson
> Priority: Major
>
> On or around line 234, interpolation of settings assumes XML:
> {code}
> interpolator.addPostProcessor( new InterpolationPostProcessor()
> {
> @Override
> public Object execute( String expression, Object value )
> {
> if ( value != null )
> {
> // we're going to parse this back in as XML so we need to escape XML markup
> value = value.toString().replace( "&", "&" ).replace( "<", "<" ).replace( ">", ">" );
> return value;
> }
> return null;
> }
> } );
> {code}
> The value being interpolated here is the result of a {{SettingsWriter}}'s output. Obviously this kind of escaping doesn't make any sense if the {{SettingsWriter}} in question is not XML-based.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)