You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/07/11 05:09:00 UTC

DO NOT REPLY [Bug 10671] New: - Major issues with jsp:param in jsp:include and jsp:forward

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10671>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10671

Major issues with jsp:param in jsp:include and jsp:forward

           Summary: Major issues with jsp:param in jsp:include and
                    jsp:forward
           Product: Tomcat 4
           Version: 4.1.3
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: jessh@ptc.com


This is related to bug 9361, which I also filed, but I have now run across a 
number of more substantive, related issues.

Tomcat 4.1.3 (and 4.1.2 and I'm not sure how far previously) take:
  <jsp:include ....>
    ...
    <jsp:param name="foo" value="<%=bar%>"/>
    ...
and generate something like
  JspEngine.include( ... + "&foo=" + java.net.URLEncoder.encode( bar ) ... );
whereas Tomcat 3.x did something like
  JspEngine.include( ... + "&foo=" + bar ... );
[Yes, I know the class is not actually "JspEngine", but you get the idea.]

This was apparently done to fix issues when bar.toString()'s result contained 
&, =, or other special characters.

Unfortunately, this change has a number of critical issues:
  1) As per 9361, if 'bar' is null, then this throws an exception, whereas most
     every servlet engine around (including Tomcat 3.2.x and 3.3.x) do not.
  2) If 'bar' is not a String, then the JSP page will no longer compile,
     whereas non-String variables could be used in this context previously and
     in other JSP engines.
  3) java.net.URLEncoder.encode() does not properly handle non-ASCII or at
     least non-Latin characters.  One has to do something like get the string
     bytes as per UTF8 then URLEncode the string formed from these bytes
     (interpretting each byte as a char) -- or more efficiently do this all in
     a single pass.  Thus the original intent of using URLEncoder.encode() is
     not fully accomplished by the change anyway.

As it stands now, Tomcat 4.1.x seriously cripples jsp:param as it is commonly 
used.  If this is as per the JSP 1.2 spec, please point this out (though I'd 
have trouble believing this).

I strongly suggest a single
  String JspEngine.encode( Object obj )
method that will return "" for a null object and otherwise to obj.toString(), 
UTF8 encode and URL encode this result.

As it is now, I suspect we were better off overall with the Tomcat 3.x 
jsp:param code generation, i.e. a heck of a lot of big, real apps run just fine 
on it without running afoul of URL encoding issues.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>