You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/10/15 06:13:52 UTC
[Bug 62825] New: JSP inline javeascript backslash miss escaping in
single quote string values
https://bz.apache.org/bugzilla/show_bug.cgi?id=62825
Bug ID: 62825
Summary: JSP inline javeascript backslash miss escaping in
single quote string values
Product: Tomcat 8
Version: 8.5.27
Hardware: All
Status: NEW
Severity: normal
Priority: P2
Component: Jasper
Assignee: dev@tomcat.apache.org
Reporter: isalister@ust.hk
Target Milestone: ----
Created attachment 36198
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36198&action=edit
Contains the source jsp inline javascript file, the result parsing javascript
source in Chrome developer mode and the generated jsp java file.
The inline javascript in jsp suppose should have the same javascript source as
plain javascript in a non-jsp page (ex. html).
But when there is a backslash value '\\' value in a jsp page, after the jsp
engine parsing the output jsp java file didn't escape the backslash value in
the single quote string value, the incorrect result is "...'\\'...", while the
correct result should be "...'\\\\'...".
Steps to reproduce:
1) Create a index.jsp file add the following javascript code:
<script>
console.log('^?123'.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g, '\\$&');
<script>
2) Open the generated jsp java file, the result parsing is as follows:
...
out.write("console.log('^?123'.replace(/[\\-\\[\\]\\/\\{\\}\\(\\)\\*\\+\\?\\.\\\\\\^$\\|]/g,
'\\$&') + '(.*)');\r\n");
...
3) The correct generated jsp java file, should be as follows:
...
out.write("console.log('^?123'.replace(/[\\-\\[\\]\\/\\{\\}\\(\\)\\*\\+\\?\\.\\\\\\^$\\|]/g,
'\\\\$&') + '(.*)');\r\n");
...
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62825] JSP inline javeascript backslash miss escaping in single
quote string values
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62825
isalister@ust.hk changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
CC| |isalister@ust.hk
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62825] JSP inline javeascript backslash miss escaping in single
quote string values
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62825
--- Comment #2 from isalister@ust.hk ---
Thanks for the clarification.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62825] JSP inline javeascript backslash miss escaping in single
quote string values
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62825
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
The example does not take account of the requirements of EL escaping in a JSP
name. Namely that the sequence "\$" in a JSP is output as "$". Hence "\\$"
becomes "\$" which, when escaped in Java source becomes "\\$".
See definition of "TemplateChar" in the JSP specification and the section
titled "Quoting in Template Text".
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org