You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/11/05 04:27:30 UTC
[Bug 55198] Quote entity in html element attribute evaluated in tagx
if attribute contains EL expression
https://issues.apache.org/bugzilla/show_bug.cgi?id=55198
--- Comment #5 from Konstantin Kolinko <kn...@gmail.com> ---
For the record, the change in 7.0.43 for this bug is r1500065
It changed how EL output is escaped in tag attributes - see bug 55735.
I think this change in EL escaping was an inadvertent one, as the original
issue is about static content. It did not say about escaping of EL output.
As this issue is an older one, I will comment on the specification here.
1. Reading the JSP specification
JSP 2.3 (JSP2.3MR.pdf) chapter JSP.6.3.9 "Template Content" says how static
content shall be rendered:
It says about XML fragments that
"The interpretation of such an XML element is to pass its textual
representation to the
current value of out, after the whitespace processing described in Section
JSP.6.2.3."
Testing this feature, I see an odd behaviour. A simple example would be a
JSPX page like this:
[[[
<jsp:root version="2.0" xmlns:jsp="http://java.sun.com/JSP/Page">
<jsp:directive.page contentType="text/plain" />
<foo bar="<HH>" baz=""JJ"" foo="&">
<LL>
</foo>
</jsp:root>
]]]
I expect it to render <HH>, "JJ", & and <LL>,
as that is a textual representation of the above XML, but
in all 7.0.47, 7.0.42 and 6.0.37 it renders:
foo="&" baz=""JJ"" bar="<HH>" and <LL>
Somehow only the quotes are rendered correctly.
2. It would be nice to expand what is written in JSP.6.2.3. to the EL
expressions in those XML fragments, so that Tomcat renders well-formed XML,
but it is likely that such an interpretation is wrong.
If I do such expansion, I would say that
- ELs in attributes of tags in XML fragments have to have their text content
escaped
- ELs in tag bodies of tags in XML fragments have to have their text content
escaped
- ELs in the body of <jsp:text/> elements shall be rendered as is, without
escaping.
As per JSP.6.2.3 <jsp:text/> generates arbitrary content.
- ELs in <![CDATA[...]]> blocks:
The easy way is to render the content of CDATA blocks as text. In this case the
usual escaping rules apply.
(If CDATA were rendered CDATA as CDATA, the usual escaping rules do not apply,
but one would have to beware of ']]>' in EL output).
It would be nice to interpret the specification this way and throw away a
number of escapeXml calls, but it is likely that such an interpretation is
wrong.
With r1500065 the ELs in attributes of tags in XML fragments
are now escaped automatically.
My own example is that the code like this in JSPX files
<a href="${fn:escapeXml(url)}">...</a>
now produces URLs that are escaped twice, with &amp;s.
This is the issue reported in bug 55735.
This change has not changed how ELs are handled in tag bodies. Only attributes
were affected.
Looking at textRotate.jspx in the Tomcat examples web application, it does not
expect that ${name} expression were escaped automatically. It explicitly calls
escapeXml().
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org