You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/10/19 00:57:25 UTC

[Bug 57136] EL Parser escaping dollar sign not ${ or ${...}

https://bz.apache.org/bugzilla/show_bug.cgi?id=57136

Konstantin Kolinko <kn...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|FIXED                       |---
             Status|RESOLVED                    |REOPENED

--- Comment #21 from Konstantin Kolinko <kn...@gmail.com> ---
Reviewing r1704572 and r1704576 (the fix for 7.0.x)

(In reply to Mark Thomas from comment #17)
> I think I have found another, related, problem in attribute values.
> 
> The problem I described in comment #16 (where I was thinking about template
> text) also applies to attribute values. Specifically, consider the following:
> <tags:echo echo="16-${'\\$'}" />
> 
> Currently, Tomcat applied attribute value escaping to the whole value. This
> is not correct. The production in the JSP spec for QuotedChar (which is used
> in attribute values) means that attribute escaping only applies outside the
> EL. Inside the EL is handled by ELEXpressionBody which delegates to the EL
> spec.
> 

I agree with this assessment. I was reading the current as well as older
versions of JSP and EL specifications - back to JSP 2.0/Tomcat 5.5.

The chapter "JSP.1.6 Quoting and Escape Conventions" has explicit section on
"Quoting in EL Expressions" and it does not say that any additional quoting
rules from surrounding context are applied to it. So I agree that when parsing
an attribute, "Quoting in Attributes" rules are applied until a ${, then
"Quoting in EL Expressions" rules are applied until a } is read.

Historically, EL expressions were introduced in JSTL 1.0 (JSR-052). At that
time the expressions were evaluated by tags themselves. So an attribute of JSP
tag was escaped as a whole, and unescaping it gives an EL expression.

Effectively if EL expression uses quoting (e.g. ${'\\'}) including it as
attribute value requires double quoting <c10:out value="${'\\\\'}" />  This
works when using JSTL 1.0 (xmlns:c10="http://java.sun.com/jstl/core") and EL
evaluation in JSPs is disabled. So the EL is evaluated by the tag library.

If using JSTL 1.1 (xmlns:c="http://java.sun.com/jsp/jstl/core") and EL is
enabled, it becomes <c:out value="${'\\'}" />

I see no mention of quoting changes, but for backwards compatibility there is
an explicit option, <%@page isELIgnored="true">.



My concern is that the behaviour where double escaping in attributes was
required has been there for many years.
E.g. Eclipse IDE cannot parse /tomcat-7.0.x/test/webapp-3.0/el-method.jsp file
and flags errors on the following line,

    <tags:echo echo="00-${testBeanA["bean"].sayHello('JUnit')}" />

I think there would better be a flag in Jasper to enable old behaviour of
attribute parsing. In the old behaviour mode the attribute will be parsed and
unescaped as a whole.

I think related change in r1704572 is in o.a.jasper.compiler.AttributeParser.

I am REOPENING to discuss introduction of such configuration option. (Though
may be better to reorganize into a separate BZ issue).

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org