You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Situ Chenghao (JIRA)" <ji...@apache.org> on 2007/10/23 09:12:51 UTC
[jira] Created: (LANG-363) StringEscapeUtils..escapeJavaScript()
method did not escape '/' into '\/', it will make IE render page
uncorrectly
StringEscapeUtils..escapeJavaScript() method did not escape '/' into '\/', it will make IE render page uncorrectly
------------------------------------------------------------------------------------------------------------------
Key: LANG-363
URL: https://issues.apache.org/jira/browse/LANG-363
Project: Commons Lang
Issue Type: Bug
Affects Versions: 2.3
Environment: JDK1.5 + commons-lang-2.3.jar + IE 6.0
Reporter: Situ Chenghao
Priority: Minor
If Javascripts including'/', IE will parse the scripts uncorrectly, actually '/' should be escaped to '\/'.
For example, document.getElementById("test").value = '<script>alert(\'aaa\');</script>';this expression will make IE render page uncorrect, it should be document.getElementById("test").value = '<script>alert(\'aaa\');<\/script>';
Btw, Spring's JavascriptEscape behavor is correct.
Try to run below codes, you will find the difference:
String s = "<script>alert('aaa');</script>";
String str = org.springframework.web.util.JavaScriptUtils.javaScriptEscape(s);
System.out.println("Spring JS Escape : "+str);
str = org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(s);
System.out.println("Apache Common Lang JS Escape : "+ str);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (LANG-363) StringEscapeUtils.escapeJavaScript()
method did not escape '/' into '\/', it will make IE render page
uncorrectly
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12595878#action_12595878 ]
Henri Yandell commented on LANG-363:
------------------------------------
See LANG-437 for conversation about rolling this fix back. There are user complaints on the list that the change is causing problems.
> StringEscapeUtils.escapeJavaScript() method did not escape '/' into '\/', it will make IE render page uncorrectly
> -----------------------------------------------------------------------------------------------------------------
>
> Key: LANG-363
> URL: https://issues.apache.org/jira/browse/LANG-363
> Project: Commons Lang
> Issue Type: Bug
> Affects Versions: 2.3
> Environment: JDK1.5 + commons-lang-2.3.jar + IE 6.0
> Reporter: Situ Chenghao
> Priority: Minor
> Fix For: 2.4
>
> Attachments: patch.txt
>
>
> If Javascripts including'/', IE will parse the scripts uncorrectly, actually '/' should be escaped to '\/'.
> For example, document.getElementById("test").value = '<script>alert(\'aaa\');</script>';this expression will make IE render page uncorrect, it should be document.getElementById("test").value = '<script>alert(\'aaa\');<\/script>';
> Btw, Spring's JavascriptEscape behavor is correct.
> Try to run below codes, you will find the difference:
> String s = "<script>alert('aaa');</script>";
> String str = org.springframework.web.util.JavaScriptUtils.javaScriptEscape(s);
> System.out.println("Spring JS Escape : "+str);
> str = org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(s);
> System.out.println("Apache Common Lang JS Escape : "+ str);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (LANG-363) StringEscapeUtils..escapeJavaScript()
method did not escape '/' into '\/', it will make IE render page
uncorrectly
Posted by "Scott Bassin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Scott Bassin updated LANG-363:
------------------------------
Attachment: patch.txt
Here's a patch that should fix the issue described. Also included is an extra assertion in testEscapeJavaScript of StringEscapeUtilsTest.
> StringEscapeUtils..escapeJavaScript() method did not escape '/' into '\/', it will make IE render page uncorrectly
> ------------------------------------------------------------------------------------------------------------------
>
> Key: LANG-363
> URL: https://issues.apache.org/jira/browse/LANG-363
> Project: Commons Lang
> Issue Type: Bug
> Affects Versions: 2.3
> Environment: JDK1.5 + commons-lang-2.3.jar + IE 6.0
> Reporter: Situ Chenghao
> Priority: Minor
> Fix For: 2.4
>
> Attachments: patch.txt
>
>
> If Javascripts including'/', IE will parse the scripts uncorrectly, actually '/' should be escaped to '\/'.
> For example, document.getElementById("test").value = '<script>alert(\'aaa\');</script>';this expression will make IE render page uncorrect, it should be document.getElementById("test").value = '<script>alert(\'aaa\');<\/script>';
> Btw, Spring's JavascriptEscape behavor is correct.
> Try to run below codes, you will find the difference:
> String s = "<script>alert('aaa');</script>";
> String str = org.springframework.web.util.JavaScriptUtils.javaScriptEscape(s);
> System.out.println("Spring JS Escape : "+str);
> str = org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(s);
> System.out.println("Apache Common Lang JS Escape : "+ str);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (LANG-363) StringEscapeUtils..escapeJavaScript()
method did not escape '/' into '\/', it will make IE render page
uncorrectly
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Henri Yandell closed LANG-363.
------------------------------
Resolution: Fixed
Thanks again Scott (and Situ for reporting it), patch applied:
svn ci -m "Applying Scott Bassin's fix and test from LANG-363" src/test/org/apache/commons/lang/StringEscapeUtilsTest.java src/java/org/apache/commons/lang/StringEscapeUtils.java
Sending src/java/org/apache/commons/lang/StringEscapeUtils.java
Sending src/test/org/apache/commons/lang/StringEscapeUtilsTest.java
Transmitting file data ..
Committed revision 588534.
> StringEscapeUtils..escapeJavaScript() method did not escape '/' into '\/', it will make IE render page uncorrectly
> ------------------------------------------------------------------------------------------------------------------
>
> Key: LANG-363
> URL: https://issues.apache.org/jira/browse/LANG-363
> Project: Commons Lang
> Issue Type: Bug
> Affects Versions: 2.3
> Environment: JDK1.5 + commons-lang-2.3.jar + IE 6.0
> Reporter: Situ Chenghao
> Priority: Minor
> Fix For: 2.4
>
> Attachments: patch.txt
>
>
> If Javascripts including'/', IE will parse the scripts uncorrectly, actually '/' should be escaped to '\/'.
> For example, document.getElementById("test").value = '<script>alert(\'aaa\');</script>';this expression will make IE render page uncorrect, it should be document.getElementById("test").value = '<script>alert(\'aaa\');<\/script>';
> Btw, Spring's JavascriptEscape behavor is correct.
> Try to run below codes, you will find the difference:
> String s = "<script>alert('aaa');</script>";
> String str = org.springframework.web.util.JavaScriptUtils.javaScriptEscape(s);
> System.out.println("Spring JS Escape : "+str);
> str = org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(s);
> System.out.println("Apache Common Lang JS Escape : "+ str);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (LANG-363) StringEscapeUtils..escapeJavaScript()
method did not escape '/' into '\/', it will make IE render page
uncorrectly
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Henri Yandell updated LANG-363:
-------------------------------
Fix Version/s: 2.4
> StringEscapeUtils..escapeJavaScript() method did not escape '/' into '\/', it will make IE render page uncorrectly
> ------------------------------------------------------------------------------------------------------------------
>
> Key: LANG-363
> URL: https://issues.apache.org/jira/browse/LANG-363
> Project: Commons Lang
> Issue Type: Bug
> Affects Versions: 2.3
> Environment: JDK1.5 + commons-lang-2.3.jar + IE 6.0
> Reporter: Situ Chenghao
> Priority: Minor
> Fix For: 2.4
>
>
> If Javascripts including'/', IE will parse the scripts uncorrectly, actually '/' should be escaped to '\/'.
> For example, document.getElementById("test").value = '<script>alert(\'aaa\');</script>';this expression will make IE render page uncorrect, it should be document.getElementById("test").value = '<script>alert(\'aaa\');<\/script>';
> Btw, Spring's JavascriptEscape behavor is correct.
> Try to run below codes, you will find the difference:
> String s = "<script>alert('aaa');</script>";
> String str = org.springframework.web.util.JavaScriptUtils.javaScriptEscape(s);
> System.out.println("Spring JS Escape : "+str);
> str = org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(s);
> System.out.println("Apache Common Lang JS Escape : "+ str);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (LANG-363) StringEscapeUtils.escapeJavaScript()
method did not escape '/' into '\/', it will make IE render page
uncorrectly
Posted by "Gary Gregory (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary Gregory updated LANG-363:
------------------------------
Summary: StringEscapeUtils.escapeJavaScript() method did not escape '/' into '\/', it will make IE render page uncorrectly (was: StringEscapeUtils..escapeJavaScript() method did not escape '/' into '\/', it will make IE render page uncorrectly)
fix typo in summary field
> StringEscapeUtils.escapeJavaScript() method did not escape '/' into '\/', it will make IE render page uncorrectly
> -----------------------------------------------------------------------------------------------------------------
>
> Key: LANG-363
> URL: https://issues.apache.org/jira/browse/LANG-363
> Project: Commons Lang
> Issue Type: Bug
> Affects Versions: 2.3
> Environment: JDK1.5 + commons-lang-2.3.jar + IE 6.0
> Reporter: Situ Chenghao
> Priority: Minor
> Fix For: 2.4
>
> Attachments: patch.txt
>
>
> If Javascripts including'/', IE will parse the scripts uncorrectly, actually '/' should be escaped to '\/'.
> For example, document.getElementById("test").value = '<script>alert(\'aaa\');</script>';this expression will make IE render page uncorrect, it should be document.getElementById("test").value = '<script>alert(\'aaa\');<\/script>';
> Btw, Spring's JavascriptEscape behavor is correct.
> Try to run below codes, you will find the difference:
> String s = "<script>alert('aaa');</script>";
> String str = org.springframework.web.util.JavaScriptUtils.javaScriptEscape(s);
> System.out.println("Spring JS Escape : "+str);
> str = org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(s);
> System.out.println("Apache Common Lang JS Escape : "+ str);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (LANG-363) StringEscapeUtils..escapeJavaScript()
method did not escape '/' into '\/', it will make IE render page
uncorrectly
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/LANG-363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12537843 ]
Henri Yandell commented on LANG-363:
------------------------------------
Heh - I even had a play with this when looking at the Spring one: http://opensource.atlassian.com/projects/spring/browse/SPR-1754
Not sure why I didn't submit a fix, probably too green with Spring at the time.
> StringEscapeUtils..escapeJavaScript() method did not escape '/' into '\/', it will make IE render page uncorrectly
> ------------------------------------------------------------------------------------------------------------------
>
> Key: LANG-363
> URL: https://issues.apache.org/jira/browse/LANG-363
> Project: Commons Lang
> Issue Type: Bug
> Affects Versions: 2.3
> Environment: JDK1.5 + commons-lang-2.3.jar + IE 6.0
> Reporter: Situ Chenghao
> Priority: Minor
> Fix For: 2.4
>
> Attachments: patch.txt
>
>
> If Javascripts including'/', IE will parse the scripts uncorrectly, actually '/' should be escaped to '\/'.
> For example, document.getElementById("test").value = '<script>alert(\'aaa\');</script>';this expression will make IE render page uncorrect, it should be document.getElementById("test").value = '<script>alert(\'aaa\');<\/script>';
> Btw, Spring's JavascriptEscape behavor is correct.
> Try to run below codes, you will find the difference:
> String s = "<script>alert('aaa');</script>";
> String str = org.springframework.web.util.JavaScriptUtils.javaScriptEscape(s);
> System.out.println("Spring JS Escape : "+str);
> str = org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(s);
> System.out.println("Apache Common Lang JS Escape : "+ str);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.