You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Carsten (JIRA)" <ji...@apache.org> on 2008/02/12 19:01:16 UTC

[jira] Updated: (WICKET-1311) Improper HTML escaping for most wicket components and extensions

     [ https://issues.apache.org/jira/browse/WICKET-1311?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Carsten updated WICKET-1311:
----------------------------

    Description: 
All text based components use a central function to escape html markup probably contained in the text.
This is good style but the used method Strings.escapeMarkup() does not fullfill its contract.
It does NOT escape all input but instead GUESSES and so it does not escape the String "&#" because it assumes
an entity.
That means it is not possible to display data which looks like a numeric entity.
This utility method should not guess about it's input but escape blindly.
If an entity should be "tunnelled through", there should be some kind of attributation.

Using the current code it's not possible to have a text value of e.g. '&#20;' getting properly stored and displayed
as exactly these 5 chars.

(Try it at  http://wicketstuff.org/wicket13/compref/?wicket:interface=:0:::: )



  was:
The method Strings.escapeMarkup() does not fullfill its contract.
It does NOT escape all input but instead GUESSES and so it does not escape the String "&#" because it assumes
an entity.
This message should not guess about it's input but escape blindly.
If an entity hould be "tunnelled through", there should be some kind of attributation.

Using the current code it's not possible to have a text value of e.g. '&#20;' getting properly displayed
as exactly these 5 chars.

(Try it at  http://wicketstuff.org/wicket13/compref/?wicket:interface=:0::::)



        Summary: Improper HTML escaping for most wicket components and extensions  (was: Improperly HTML escaping)

> Improper HTML escaping for most wicket components and extensions
> ----------------------------------------------------------------
>
>                 Key: WICKET-1311
>                 URL: https://issues.apache.org/jira/browse/WICKET-1311
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 1.3.0-final
>         Environment: Web Browser ... :-)
>            Reporter: Carsten
>
> All text based components use a central function to escape html markup probably contained in the text.
> This is good style but the used method Strings.escapeMarkup() does not fullfill its contract.
> It does NOT escape all input but instead GUESSES and so it does not escape the String "&#" because it assumes
> an entity.
> That means it is not possible to display data which looks like a numeric entity.
> This utility method should not guess about it's input but escape blindly.
> If an entity should be "tunnelled through", there should be some kind of attributation.
> Using the current code it's not possible to have a text value of e.g. '&#20;' getting properly stored and displayed
> as exactly these 5 chars.
> (Try it at  http://wicketstuff.org/wicket13/compref/?wicket:interface=:0:::: )

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.