You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Ronny Løvtangen <li...@lovtangen.com> on 2009/11/16 11:08:53 UTC
2.1.8.1: Change in escaping
When using escape="true" (which is default) on <s:property ... /> I can see that 2.1.6 and 2.1.8.1 behaves differently.
E.g. the norwegian letter ø is escaped as ø in 2.1.6, but now in 2.1.8.1 it is escaped as ø
I looked at the source. The change is that org.apache.struts2.components.Property now do a
org.apache.commons.lang.xwork.StringEscapeUtils.escapeHtml(result)
while it earlier did a
com.opensymphony.xwork2.util.TextUtils.htmlEncode(result)
I didn't find the source to org.apache.commons.lang.xwork.StringEscapeUtils. It is part of xwork-core-2.1.6.jar, but the source is not included in xwork-core-2.1.6-sources.jar (!)
Is this the same class as org.apache.commons.lang.StringEscapeUtils in commons-lang? If so, I can see that it uses a lookup table to escape html entities, and fallbacks to #-escaping if not found.
Is this change intentional? And is there a way to escape 'the old way'? My ouput is not for use in HTML, but as xml input to a flash component, so ø won't work.
Regards,
Ronny
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.8.1: Change in escaping
Posted by Andreas Joseph Krogh <an...@officenet.no>.
On Tuesday 17. November 2009 19.08.08 Dale Newfield wrote:
> Chris Pratt wrote:
> > Or even better, add an escape attribute that takes as it's values "html",
> > "xml", or "javascript". It would be very nice to have it be able to
> > properly encode at least single and double quotes in JavaScript as well as
> > HTML and XML, and using a more generic and extensible attribute name is
> > always a good idea.
>
> For example, it could even be implemented such that an attribute
> escape="javascript,xml" allows the specification of multiple escape
> mechanisms including an ordering in which they'll be applied.
+1
--
Andreas Joseph Krogh <an...@officenet.no>
Senior Software Developer / CTO
------------------------+---------------------------------------------+
OfficeNet AS | The most difficult thing in the world is to |
Rosenholmveien 25 | know how to do a thing and to watch |
1414 Trollåsen | somebody else doing it wrong, without |
NORWAY | comment. |
| |
Tlf: +47 24 15 38 90 | |
Fax: +47 24 15 38 91 | |
Mobile: +47 909 56 963 | |
------------------------+---------------------------------------------+
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.8.1: Change in escaping
Posted by Musachy Barroso <mu...@gmail.com>.
reopened , thanks
On Tue, Nov 17, 2009 at 12:30 PM, Dale Newfield <da...@newfield.org> wrote:
> Musachy Barroso wrote:
>>
>> that sounds good, can someone open a jira ticket so we don't depend
>> on my short term memory :)?
>
> I modified https://issues.apache.org/struts/browse/WW-3332 (although there
> didn't appear to be a way for me to change the resolution, so maybe this was
> a mistake...
>
> -Dale
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.8.1: Change in escaping
Posted by Dale Newfield <da...@newfield.org>.
Musachy Barroso wrote:
> that sounds good, can someone open a jira ticket so we don't depend
> on my short term memory :)?
I modified https://issues.apache.org/struts/browse/WW-3332 (although
there didn't appear to be a way for me to change the resolution, so
maybe this was a mistake...
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.8.1: Change in escaping
Posted by Musachy Barroso <mu...@gmail.com>.
that sounds good, can someone open a jira ticket so we don't depend
on my short term memory :)?
musachy
On Tue, Nov 17, 2009 at 10:08 AM, Dale Newfield <da...@newfield.org> wrote:
> Chris Pratt wrote:
>>
>> Or even better, add an escape attribute that takes as it's values "html",
>> "xml", or "javascript". It would be very nice to have it be able to
>> properly encode at least single and double quotes in JavaScript as well as
>> HTML and XML, and using a more generic and extensible attribute name is
>> always a good idea.
>
> For example, it could even be implemented such that an attribute
> escape="javascript,xml" allows the specification of multiple escape
> mechanisms including an ordering in which they'll be applied.
>
> -Dale
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.8.1: Change in escaping
Posted by Dale Newfield <da...@newfield.org>.
Chris Pratt wrote:
> Or even better, add an escape attribute that takes as it's values "html",
> "xml", or "javascript". It would be very nice to have it be able to
> properly encode at least single and double quotes in JavaScript as well as
> HTML and XML, and using a more generic and extensible attribute name is
> always a good idea.
For example, it could even be implemented such that an attribute
escape="javascript,xml" allows the specification of multiple escape
mechanisms including an ordering in which they'll be applied.
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.8.1: Change in escaping
Posted by Chris Pratt <th...@gmail.com>.
Or even better, add an escape attribute that takes as it's values "html",
"xml", or "javascript". It would be very nice to have it be able to
properly encode at least single and double quotes in JavaScript as well as
HTML and XML, and using a more generic and extensible attribute name is
always a good idea.
(*Chris*)
On Mon, Nov 16, 2009 at 9:48 AM, Musachy Barroso <mu...@gmail.com> wrote:
> hum, that's interesting. This move was to remove custom code by code
> in commons. The misleading part is that the method was called
> "htmlEncode". We should add an attribute to to the "property" tag
> "escapeXml" that calls
> org.apache.commons.lang.xwork.StringEscapeUtils.escapeXml(..), and
> while we are at it, a "escapeCsv" as well.
>
> https://issues.apache.org/struts/browse/WW-3332
>
> musachy
>
> On Mon, Nov 16, 2009 at 2:08 AM, Ronny Løvtangen <li...@lovtangen.com>
> wrote:
> >
> > When using escape="true" (which is default) on <s:property ... /> I can
> see that 2.1.6 and 2.1.8.1 behaves differently.
> > E.g. the norwegian letter ø is escaped as ø in 2.1.6, but now in
> 2.1.8.1 it is escaped as ø
> >
> > I looked at the source. The change is that
> org.apache.struts2.components.Property now do a
> >
> > org.apache.commons.lang.xwork.StringEscapeUtils.escapeHtml(result)
> >
> > while it earlier did a
> >
> > com.opensymphony.xwork2.util.TextUtils.htmlEncode(result)
> >
> > I didn't find the source to
> org.apache.commons.lang.xwork.StringEscapeUtils. It is part of
> xwork-core-2.1.6.jar, but the source is not included in
> xwork-core-2.1.6-sources.jar (!)
> > Is this the same class as org.apache.commons.lang.StringEscapeUtils in
> commons-lang? If so, I can see that it uses a lookup table to escape html
> entities, and fallbacks to #-escaping if not found.
> >
> >
> > Is this change intentional? And is there a way to escape 'the old way'?
> My ouput is not for use in HTML, but as xml input to a flash component, so
> ø won't work.
> >
> >
> > Regards,
> > Ronny
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: 2.1.8.1: Change in escaping
Posted by Chris Pratt <th...@gmail.com>.
You can maintain backward compatibility by ensuring that escape="true" is
equivalent to escape="xml".
(*Chris*)
On Mon, Nov 16, 2009 at 10:48 AM, Musachy Barroso <mu...@gmail.com> wrote:
> I agree, but you know we are obsessed about backward compatibility :),
> that change would break a lot of stuff.
>
> On Mon, Nov 16, 2009 at 10:43 AM, Matt Raible <ma...@raibledesigns.com>
> wrote:
> > I would advocate that "escape" means escape everything (Csv, Xml and
> HTML).
> > No need to differentiate IMO.
> >
> > On Mon, Nov 16, 2009 at 1:37 PM, Musachy Barroso <mu...@gmail.com>
> wrote:
> >
> >> it is in trunk now. Please note that "escape" is true by default, so
> >> to escape some xml you should do:
> >>
> >> <s:property value="%{whatever}" escape="false" escapeXml="true" />
> >>
> >> hum, I wonder if we should deprecate "escape" and add a new
> "escapeHtml"?
> >>
> >> musachy
> >>
> >> On Mon, Nov 16, 2009 at 10:15 AM, Musachy Barroso <mu...@gmail.com>
> >> wrote:
> >> > working on it, it will be in trunk soon.
> >> >
> >> > On Mon, Nov 16, 2009 at 10:11 AM, Ronny Løvtangen <
> lists@lovtangen.com>
> >> wrote:
> >> >> Thanks for creating the jira issue. An escapeXml property would be
> >> really useful.
> >> >> Agree that "htmlEncode" was a misleading name.
> >> >>
> >> >> Ronny
> >> >>
> >> >> On Nov 16, 2009, at 6:48 PM, Musachy Barroso wrote:
> >> >>
> >> >>> hum, that's interesting. This move was to remove custom code by code
> >> >>> in commons. The misleading part is that the method was called
> >> >>> "htmlEncode". We should add an attribute to to the "property" tag
> >> >>> "escapeXml" that calls
> >> >>> org.apache.commons.lang.xwork.StringEscapeUtils.escapeXml(..), and
> >> >>> while we are at it, a "escapeCsv" as well.
> >> >>>
> >> >>> https://issues.apache.org/struts/browse/WW-3332
> >> >>>
> >> >>> musachy
> >> >>>
> >> >>> On Mon, Nov 16, 2009 at 2:08 AM, Ronny Løvtangen <
> lists@lovtangen.com>
> >> wrote:
> >> >>>>
> >> >>>> When using escape="true" (which is default) on <s:property ... /> I
> >> can see that 2.1.6 and 2.1.8.1 behaves differently.
> >> >>>> E.g. the norwegian letter ø is escaped as ø in 2.1.6, but now
> in
> >> 2.1.8.1 it is escaped as ø
> >> >>>>
> >> >>>> I looked at the source. The change is that
> >> org.apache.struts2.components.Property now do a
> >> >>>>
> >> >>>> org.apache.commons.lang.xwork.StringEscapeUtils.escapeHtml(result)
> >> >>>>
> >> >>>> while it earlier did a
> >> >>>>
> >> >>>> com.opensymphony.xwork2.util.TextUtils.htmlEncode(result)
> >> >>>>
> >> >>>> I didn't find the source to
> >> org.apache.commons.lang.xwork.StringEscapeUtils. It is part of
> >> xwork-core-2.1.6.jar, but the source is not included in
> >> xwork-core-2.1.6-sources.jar (!)
> >> >>>> Is this the same class as org.apache.commons.lang.StringEscapeUtils
> in
> >> commons-lang? If so, I can see that it uses a lookup table to escape
> html
> >> entities, and fallbacks to #-escaping if not found.
> >> >>>>
> >> >>>>
> >> >>>> Is this change intentional? And is there a way to escape 'the old
> >> way'? My ouput is not for use in HTML, but as xml input to a flash
> >> component, so ø won't work.
> >> >>>>
> >> >>>>
> >> >>>> Regards,
> >> >>>> Ronny
> >> >>>>
> >> >>>>
> >> >>>>
> ---------------------------------------------------------------------
> >> >>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> >>>> For additional commands, e-mail: dev-help@struts.apache.org
> >> >>>>
> >> >>>>
> >> >>>
> >> >>>
> ---------------------------------------------------------------------
> >> >>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> >>> For additional commands, e-mail: dev-help@struts.apache.org
> >> >>>
> >> >>
> >> >>
> >> >> ---------------------------------------------------------------------
> >> >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> >> For additional commands, e-mail: dev-help@struts.apache.org
> >> >>
> >> >>
> >> >
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: dev-help@struts.apache.org
> >>
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: 2.1.8.1: Change in escaping
Posted by Musachy Barroso <mu...@gmail.com>.
I agree, but you know we are obsessed about backward compatibility :),
that change would break a lot of stuff.
On Mon, Nov 16, 2009 at 10:43 AM, Matt Raible <ma...@raibledesigns.com> wrote:
> I would advocate that "escape" means escape everything (Csv, Xml and HTML).
> No need to differentiate IMO.
>
> On Mon, Nov 16, 2009 at 1:37 PM, Musachy Barroso <mu...@gmail.com> wrote:
>
>> it is in trunk now. Please note that "escape" is true by default, so
>> to escape some xml you should do:
>>
>> <s:property value="%{whatever}" escape="false" escapeXml="true" />
>>
>> hum, I wonder if we should deprecate "escape" and add a new "escapeHtml"?
>>
>> musachy
>>
>> On Mon, Nov 16, 2009 at 10:15 AM, Musachy Barroso <mu...@gmail.com>
>> wrote:
>> > working on it, it will be in trunk soon.
>> >
>> > On Mon, Nov 16, 2009 at 10:11 AM, Ronny Løvtangen <li...@lovtangen.com>
>> wrote:
>> >> Thanks for creating the jira issue. An escapeXml property would be
>> really useful.
>> >> Agree that "htmlEncode" was a misleading name.
>> >>
>> >> Ronny
>> >>
>> >> On Nov 16, 2009, at 6:48 PM, Musachy Barroso wrote:
>> >>
>> >>> hum, that's interesting. This move was to remove custom code by code
>> >>> in commons. The misleading part is that the method was called
>> >>> "htmlEncode". We should add an attribute to to the "property" tag
>> >>> "escapeXml" that calls
>> >>> org.apache.commons.lang.xwork.StringEscapeUtils.escapeXml(..), and
>> >>> while we are at it, a "escapeCsv" as well.
>> >>>
>> >>> https://issues.apache.org/struts/browse/WW-3332
>> >>>
>> >>> musachy
>> >>>
>> >>> On Mon, Nov 16, 2009 at 2:08 AM, Ronny Løvtangen <li...@lovtangen.com>
>> wrote:
>> >>>>
>> >>>> When using escape="true" (which is default) on <s:property ... /> I
>> can see that 2.1.6 and 2.1.8.1 behaves differently.
>> >>>> E.g. the norwegian letter ø is escaped as ø in 2.1.6, but now in
>> 2.1.8.1 it is escaped as ø
>> >>>>
>> >>>> I looked at the source. The change is that
>> org.apache.struts2.components.Property now do a
>> >>>>
>> >>>> org.apache.commons.lang.xwork.StringEscapeUtils.escapeHtml(result)
>> >>>>
>> >>>> while it earlier did a
>> >>>>
>> >>>> com.opensymphony.xwork2.util.TextUtils.htmlEncode(result)
>> >>>>
>> >>>> I didn't find the source to
>> org.apache.commons.lang.xwork.StringEscapeUtils. It is part of
>> xwork-core-2.1.6.jar, but the source is not included in
>> xwork-core-2.1.6-sources.jar (!)
>> >>>> Is this the same class as org.apache.commons.lang.StringEscapeUtils in
>> commons-lang? If so, I can see that it uses a lookup table to escape html
>> entities, and fallbacks to #-escaping if not found.
>> >>>>
>> >>>>
>> >>>> Is this change intentional? And is there a way to escape 'the old
>> way'? My ouput is not for use in HTML, but as xml input to a flash
>> component, so ø won't work.
>> >>>>
>> >>>>
>> >>>> Regards,
>> >>>> Ronny
>> >>>>
>> >>>>
>> >>>> ---------------------------------------------------------------------
>> >>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> >>>> For additional commands, e-mail: dev-help@struts.apache.org
>> >>>>
>> >>>>
>> >>>
>> >>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> >>> For additional commands, e-mail: dev-help@struts.apache.org
>> >>>
>> >>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> >> For additional commands, e-mail: dev-help@struts.apache.org
>> >>
>> >>
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.8.1: Change in escaping
Posted by Matt Raible <ma...@raibledesigns.com>.
I would advocate that "escape" means escape everything (Csv, Xml and HTML).
No need to differentiate IMO.
On Mon, Nov 16, 2009 at 1:37 PM, Musachy Barroso <mu...@gmail.com> wrote:
> it is in trunk now. Please note that "escape" is true by default, so
> to escape some xml you should do:
>
> <s:property value="%{whatever}" escape="false" escapeXml="true" />
>
> hum, I wonder if we should deprecate "escape" and add a new "escapeHtml"?
>
> musachy
>
> On Mon, Nov 16, 2009 at 10:15 AM, Musachy Barroso <mu...@gmail.com>
> wrote:
> > working on it, it will be in trunk soon.
> >
> > On Mon, Nov 16, 2009 at 10:11 AM, Ronny Løvtangen <li...@lovtangen.com>
> wrote:
> >> Thanks for creating the jira issue. An escapeXml property would be
> really useful.
> >> Agree that "htmlEncode" was a misleading name.
> >>
> >> Ronny
> >>
> >> On Nov 16, 2009, at 6:48 PM, Musachy Barroso wrote:
> >>
> >>> hum, that's interesting. This move was to remove custom code by code
> >>> in commons. The misleading part is that the method was called
> >>> "htmlEncode". We should add an attribute to to the "property" tag
> >>> "escapeXml" that calls
> >>> org.apache.commons.lang.xwork.StringEscapeUtils.escapeXml(..), and
> >>> while we are at it, a "escapeCsv" as well.
> >>>
> >>> https://issues.apache.org/struts/browse/WW-3332
> >>>
> >>> musachy
> >>>
> >>> On Mon, Nov 16, 2009 at 2:08 AM, Ronny Løvtangen <li...@lovtangen.com>
> wrote:
> >>>>
> >>>> When using escape="true" (which is default) on <s:property ... /> I
> can see that 2.1.6 and 2.1.8.1 behaves differently.
> >>>> E.g. the norwegian letter ø is escaped as ø in 2.1.6, but now in
> 2.1.8.1 it is escaped as ø
> >>>>
> >>>> I looked at the source. The change is that
> org.apache.struts2.components.Property now do a
> >>>>
> >>>> org.apache.commons.lang.xwork.StringEscapeUtils.escapeHtml(result)
> >>>>
> >>>> while it earlier did a
> >>>>
> >>>> com.opensymphony.xwork2.util.TextUtils.htmlEncode(result)
> >>>>
> >>>> I didn't find the source to
> org.apache.commons.lang.xwork.StringEscapeUtils. It is part of
> xwork-core-2.1.6.jar, but the source is not included in
> xwork-core-2.1.6-sources.jar (!)
> >>>> Is this the same class as org.apache.commons.lang.StringEscapeUtils in
> commons-lang? If so, I can see that it uses a lookup table to escape html
> entities, and fallbacks to #-escaping if not found.
> >>>>
> >>>>
> >>>> Is this change intentional? And is there a way to escape 'the old
> way'? My ouput is not for use in HTML, but as xml input to a flash
> component, so ø won't work.
> >>>>
> >>>>
> >>>> Regards,
> >>>> Ronny
> >>>>
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >>>> For additional commands, e-mail: dev-help@struts.apache.org
> >>>>
> >>>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >>> For additional commands, e-mail: dev-help@struts.apache.org
> >>>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: dev-help@struts.apache.org
> >>
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: 2.1.8.1: Change in escaping
Posted by Andreas Joseph Krogh <an...@officenet.no>.
On Monday 16. November 2009 19.56.25 Ronny Løvtangen wrote:
> Wow, that was fast!
>
> The problem you mention that you have to set escape to false to be able use escapeXml, is already a problem in 2.1.8.1 with escapeJavascript I guess? The string is first html-escaped and then javascript-escaped.
> Could be fixed by guarding 'escape' with the other attributes:
>
> private String prepare(String value) {
> if (escapeXml) {
> return StringEscapeUtils.escapeXml(result);
> }
> if (escapeJavaScript) {
> return StringEscapeUtils.escapeJavaScript(result);
> }
> if (escape) {
> return StringEscapeUtils.escapeHtml(result);
> }
> return result;
> }
>
> (or with 'else if' if there's a policy against multiple returns)
>
>
> But.. What if you for some reason wants to escape both javascript and xml.. (would you ever?)
Yes, at leas I would. I sometimes end up having to embed HTML/XML in either JS-variables or as URLEncoded in an HTML-attribute, so escaping multiple times does give a meaning to me at least.
--
Andreas Joseph Krogh <an...@officenet.no>
Senior Software Developer / CTO
------------------------+---------------------------------------------+
OfficeNet AS | The most difficult thing in the world is to |
Rosenholmveien 25 | know how to do a thing and to watch |
1414 Trollåsen | somebody else doing it wrong, without |
NORWAY | comment. |
| |
Tlf: +47 24 15 38 90 | |
Fax: +47 24 15 38 91 | |
Mobile: +47 909 56 963 | |
------------------------+---------------------------------------------+
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.8.1: Change in escaping
Posted by Ronny Løvtangen <li...@lovtangen.com>.
Wow, that was fast!
The problem you mention that you have to set escape to false to be able use escapeXml, is already a problem in 2.1.8.1 with escapeJavascript I guess? The string is first html-escaped and then javascript-escaped.
Could be fixed by guarding 'escape' with the other attributes:
private String prepare(String value) {
if (escapeXml) {
return StringEscapeUtils.escapeXml(result);
}
if (escapeJavaScript) {
return StringEscapeUtils.escapeJavaScript(result);
}
if (escape) {
return StringEscapeUtils.escapeHtml(result);
}
return result;
}
(or with 'else if' if there's a policy against multiple returns)
But.. What if you for some reason wants to escape both javascript and xml.. (would you ever?)
On Nov 16, 2009, at 7:37 PM, Musachy Barroso wrote:
> it is in trunk now. Please note that "escape" is true by default, so
> to escape some xml you should do:
>
> <s:property value="%{whatever}" escape="false" escapeXml="true" />
>
> hum, I wonder if we should deprecate "escape" and add a new "escapeHtml"?
>
> musachy
>
> On Mon, Nov 16, 2009 at 10:15 AM, Musachy Barroso <mu...@gmail.com> wrote:
>> working on it, it will be in trunk soon.
>>
>> On Mon, Nov 16, 2009 at 10:11 AM, Ronny Løvtangen <li...@lovtangen.com> wrote:
>>> Thanks for creating the jira issue. An escapeXml property would be really useful.
>>> Agree that "htmlEncode" was a misleading name.
>>>
>>> Ronny
>>>
>>> On Nov 16, 2009, at 6:48 PM, Musachy Barroso wrote:
>>>
>>>> hum, that's interesting. This move was to remove custom code by code
>>>> in commons. The misleading part is that the method was called
>>>> "htmlEncode". We should add an attribute to to the "property" tag
>>>> "escapeXml" that calls
>>>> org.apache.commons.lang.xwork.StringEscapeUtils.escapeXml(..), and
>>>> while we are at it, a "escapeCsv" as well.
>>>>
>>>> https://issues.apache.org/struts/browse/WW-3332
>>>>
>>>> musachy
>>>>
>>>> On Mon, Nov 16, 2009 at 2:08 AM, Ronny Løvtangen <li...@lovtangen.com> wrote:
>>>>>
>>>>> When using escape="true" (which is default) on <s:property ... /> I can see that 2.1.6 and 2.1.8.1 behaves differently.
>>>>> E.g. the norwegian letter ø is escaped as ø in 2.1.6, but now in 2.1.8.1 it is escaped as ø
>>>>>
>>>>> I looked at the source. The change is that org.apache.struts2.components.Property now do a
>>>>>
>>>>> org.apache.commons.lang.xwork.StringEscapeUtils.escapeHtml(result)
>>>>>
>>>>> while it earlier did a
>>>>>
>>>>> com.opensymphony.xwork2.util.TextUtils.htmlEncode(result)
>>>>>
>>>>> I didn't find the source to org.apache.commons.lang.xwork.StringEscapeUtils. It is part of xwork-core-2.1.6.jar, but the source is not included in xwork-core-2.1.6-sources.jar (!)
>>>>> Is this the same class as org.apache.commons.lang.StringEscapeUtils in commons-lang? If so, I can see that it uses a lookup table to escape html entities, and fallbacks to #-escaping if not found.
>>>>>
>>>>>
>>>>> Is this change intentional? And is there a way to escape 'the old way'? My ouput is not for use in HTML, but as xml input to a flash component, so ø won't work.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Ronny
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>>>
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.8.1: Change in escaping
Posted by Musachy Barroso <mu...@gmail.com>.
it is in trunk now. Please note that "escape" is true by default, so
to escape some xml you should do:
<s:property value="%{whatever}" escape="false" escapeXml="true" />
hum, I wonder if we should deprecate "escape" and add a new "escapeHtml"?
musachy
On Mon, Nov 16, 2009 at 10:15 AM, Musachy Barroso <mu...@gmail.com> wrote:
> working on it, it will be in trunk soon.
>
> On Mon, Nov 16, 2009 at 10:11 AM, Ronny Løvtangen <li...@lovtangen.com> wrote:
>> Thanks for creating the jira issue. An escapeXml property would be really useful.
>> Agree that "htmlEncode" was a misleading name.
>>
>> Ronny
>>
>> On Nov 16, 2009, at 6:48 PM, Musachy Barroso wrote:
>>
>>> hum, that's interesting. This move was to remove custom code by code
>>> in commons. The misleading part is that the method was called
>>> "htmlEncode". We should add an attribute to to the "property" tag
>>> "escapeXml" that calls
>>> org.apache.commons.lang.xwork.StringEscapeUtils.escapeXml(..), and
>>> while we are at it, a "escapeCsv" as well.
>>>
>>> https://issues.apache.org/struts/browse/WW-3332
>>>
>>> musachy
>>>
>>> On Mon, Nov 16, 2009 at 2:08 AM, Ronny Løvtangen <li...@lovtangen.com> wrote:
>>>>
>>>> When using escape="true" (which is default) on <s:property ... /> I can see that 2.1.6 and 2.1.8.1 behaves differently.
>>>> E.g. the norwegian letter ø is escaped as ø in 2.1.6, but now in 2.1.8.1 it is escaped as ø
>>>>
>>>> I looked at the source. The change is that org.apache.struts2.components.Property now do a
>>>>
>>>> org.apache.commons.lang.xwork.StringEscapeUtils.escapeHtml(result)
>>>>
>>>> while it earlier did a
>>>>
>>>> com.opensymphony.xwork2.util.TextUtils.htmlEncode(result)
>>>>
>>>> I didn't find the source to org.apache.commons.lang.xwork.StringEscapeUtils. It is part of xwork-core-2.1.6.jar, but the source is not included in xwork-core-2.1.6-sources.jar (!)
>>>> Is this the same class as org.apache.commons.lang.StringEscapeUtils in commons-lang? If so, I can see that it uses a lookup table to escape html entities, and fallbacks to #-escaping if not found.
>>>>
>>>>
>>>> Is this change intentional? And is there a way to escape 'the old way'? My ouput is not for use in HTML, but as xml input to a flash component, so ø won't work.
>>>>
>>>>
>>>> Regards,
>>>> Ronny
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.8.1: Change in escaping
Posted by Musachy Barroso <mu...@gmail.com>.
working on it, it will be in trunk soon.
On Mon, Nov 16, 2009 at 10:11 AM, Ronny Løvtangen <li...@lovtangen.com> wrote:
> Thanks for creating the jira issue. An escapeXml property would be really useful.
> Agree that "htmlEncode" was a misleading name.
>
> Ronny
>
> On Nov 16, 2009, at 6:48 PM, Musachy Barroso wrote:
>
>> hum, that's interesting. This move was to remove custom code by code
>> in commons. The misleading part is that the method was called
>> "htmlEncode". We should add an attribute to to the "property" tag
>> "escapeXml" that calls
>> org.apache.commons.lang.xwork.StringEscapeUtils.escapeXml(..), and
>> while we are at it, a "escapeCsv" as well.
>>
>> https://issues.apache.org/struts/browse/WW-3332
>>
>> musachy
>>
>> On Mon, Nov 16, 2009 at 2:08 AM, Ronny Løvtangen <li...@lovtangen.com> wrote:
>>>
>>> When using escape="true" (which is default) on <s:property ... /> I can see that 2.1.6 and 2.1.8.1 behaves differently.
>>> E.g. the norwegian letter ø is escaped as ø in 2.1.6, but now in 2.1.8.1 it is escaped as ø
>>>
>>> I looked at the source. The change is that org.apache.struts2.components.Property now do a
>>>
>>> org.apache.commons.lang.xwork.StringEscapeUtils.escapeHtml(result)
>>>
>>> while it earlier did a
>>>
>>> com.opensymphony.xwork2.util.TextUtils.htmlEncode(result)
>>>
>>> I didn't find the source to org.apache.commons.lang.xwork.StringEscapeUtils. It is part of xwork-core-2.1.6.jar, but the source is not included in xwork-core-2.1.6-sources.jar (!)
>>> Is this the same class as org.apache.commons.lang.StringEscapeUtils in commons-lang? If so, I can see that it uses a lookup table to escape html entities, and fallbacks to #-escaping if not found.
>>>
>>>
>>> Is this change intentional? And is there a way to escape 'the old way'? My ouput is not for use in HTML, but as xml input to a flash component, so ø won't work.
>>>
>>>
>>> Regards,
>>> Ronny
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.8.1: Change in escaping
Posted by Ronny Løvtangen <li...@lovtangen.com>.
Thanks for creating the jira issue. An escapeXml property would be really useful.
Agree that "htmlEncode" was a misleading name.
Ronny
On Nov 16, 2009, at 6:48 PM, Musachy Barroso wrote:
> hum, that's interesting. This move was to remove custom code by code
> in commons. The misleading part is that the method was called
> "htmlEncode". We should add an attribute to to the "property" tag
> "escapeXml" that calls
> org.apache.commons.lang.xwork.StringEscapeUtils.escapeXml(..), and
> while we are at it, a "escapeCsv" as well.
>
> https://issues.apache.org/struts/browse/WW-3332
>
> musachy
>
> On Mon, Nov 16, 2009 at 2:08 AM, Ronny Løvtangen <li...@lovtangen.com> wrote:
>>
>> When using escape="true" (which is default) on <s:property ... /> I can see that 2.1.6 and 2.1.8.1 behaves differently.
>> E.g. the norwegian letter ø is escaped as ø in 2.1.6, but now in 2.1.8.1 it is escaped as ø
>>
>> I looked at the source. The change is that org.apache.struts2.components.Property now do a
>>
>> org.apache.commons.lang.xwork.StringEscapeUtils.escapeHtml(result)
>>
>> while it earlier did a
>>
>> com.opensymphony.xwork2.util.TextUtils.htmlEncode(result)
>>
>> I didn't find the source to org.apache.commons.lang.xwork.StringEscapeUtils. It is part of xwork-core-2.1.6.jar, but the source is not included in xwork-core-2.1.6-sources.jar (!)
>> Is this the same class as org.apache.commons.lang.StringEscapeUtils in commons-lang? If so, I can see that it uses a lookup table to escape html entities, and fallbacks to #-escaping if not found.
>>
>>
>> Is this change intentional? And is there a way to escape 'the old way'? My ouput is not for use in HTML, but as xml input to a flash component, so ø won't work.
>>
>>
>> Regards,
>> Ronny
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: 2.1.8.1: Change in escaping
Posted by Musachy Barroso <mu...@gmail.com>.
hum, that's interesting. This move was to remove custom code by code
in commons. The misleading part is that the method was called
"htmlEncode". We should add an attribute to to the "property" tag
"escapeXml" that calls
org.apache.commons.lang.xwork.StringEscapeUtils.escapeXml(..), and
while we are at it, a "escapeCsv" as well.
https://issues.apache.org/struts/browse/WW-3332
musachy
On Mon, Nov 16, 2009 at 2:08 AM, Ronny Løvtangen <li...@lovtangen.com> wrote:
>
> When using escape="true" (which is default) on <s:property ... /> I can see that 2.1.6 and 2.1.8.1 behaves differently.
> E.g. the norwegian letter ø is escaped as ø in 2.1.6, but now in 2.1.8.1 it is escaped as ø
>
> I looked at the source. The change is that org.apache.struts2.components.Property now do a
>
> org.apache.commons.lang.xwork.StringEscapeUtils.escapeHtml(result)
>
> while it earlier did a
>
> com.opensymphony.xwork2.util.TextUtils.htmlEncode(result)
>
> I didn't find the source to org.apache.commons.lang.xwork.StringEscapeUtils. It is part of xwork-core-2.1.6.jar, but the source is not included in xwork-core-2.1.6-sources.jar (!)
> Is this the same class as org.apache.commons.lang.StringEscapeUtils in commons-lang? If so, I can see that it uses a lookup table to escape html entities, and fallbacks to #-escaping if not found.
>
>
> Is this change intentional? And is there a way to escape 'the old way'? My ouput is not for use in HTML, but as xml input to a flash component, so ø won't work.
>
>
> Regards,
> Ronny
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org