You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Frank Klein Koerkamp (JIRA)" <ji...@apache.org> on 2009/09/22 16:16:16 UTC
[jira] Created: (WICKET-2484) CLONE -Improper HTML escaping for
most wicket components and extensions
CLONE -Improper HTML escaping for most wicket components and extensions
-----------------------------------------------------------------------
Key: WICKET-2484
URL: https://issues.apache.org/jira/browse/WICKET-2484
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 1.3.0-final
Environment: Web Browser ... :-)
Reporter: Frank Klein Koerkamp
Assignee: Igor Vaynberg
Fix For: 1.4-RC1
All text based components use a central function to escape html markup probably contained in the text.
This is good style but the used method Strings.escapeMarkup() does not fullfill its contract.
It does NOT escape all input but instead GUESSES and so it does not escape the String "&#" because it assumes
an entity.
That means it is not possible to display data which looks like a numeric entity.
This utility method should not guess about it's input but escape blindly.
If an entity should be "tunnelled through", there should be some kind of attributation.
Using the current code it's not possible to have a text value of e.g. '' getting properly stored and displayed
as exactly these 5 chars.
(Try it at http://wicketstuff.org/wicket13/compref/?wicket:interface=:0:::: )
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WICKET-2484) CLONE -Improper HTML escaping for
most wicket components and extensions
Posted by "Frank Klein Koerkamp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Frank Klein Koerkamp updated WICKET-2484:
-----------------------------------------
Description:
/*All text based components use a central function to escape html markup probably contained in the text.
This is good style but the used method Strings.escapeMarkup() does not fullfill its contract.
It does NOT escape all input but instead GUESSES and so it does not escape the String "&#" because it assumes
an entity.
That means it is not possible to display data which looks like a numeric entity.
This utility method should not guess about it's input but escape blindly.
If an entity should be "tunnelled through", there should be some kind of attributation.
Using the current code it's not possible to have a text value of e.g. '' getting properly stored and displayed
as exactly these 5 chars.
(Try it at http://wicketstuff.org/wicket13/compref/?wicket:interface=:0:::: )*/
This change is given us problems we often use ' ' in our propery files. We use this to show a space or things like it. With updating to 1.4 we see that the code is shown instead of the space.
If this is not fixed, how can we work around it.
was:
All text based components use a central function to escape html markup probably contained in the text.
This is good style but the used method Strings.escapeMarkup() does not fullfill its contract.
It does NOT escape all input but instead GUESSES and so it does not escape the String "&#" because it assumes
an entity.
That means it is not possible to display data which looks like a numeric entity.
This utility method should not guess about it's input but escape blindly.
If an entity should be "tunnelled through", there should be some kind of attributation.
Using the current code it's not possible to have a text value of e.g. '' getting properly stored and displayed
as exactly these 5 chars.
(Try it at http://wicketstuff.org/wicket13/compref/?wicket:interface=:0:::: )
> CLONE -Improper HTML escaping for most wicket components and extensions
> -----------------------------------------------------------------------
>
> Key: WICKET-2484
> URL: https://issues.apache.org/jira/browse/WICKET-2484
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.3.0-final
> Environment: Web Browser ... :-)
> Reporter: Frank Klein Koerkamp
> Assignee: Igor Vaynberg
> Fix For: 1.4-RC1
>
>
> /*All text based components use a central function to escape html markup probably contained in the text.
> This is good style but the used method Strings.escapeMarkup() does not fullfill its contract.
> It does NOT escape all input but instead GUESSES and so it does not escape the String "&#" because it assumes
> an entity.
> That means it is not possible to display data which looks like a numeric entity.
> This utility method should not guess about it's input but escape blindly.
> If an entity should be "tunnelled through", there should be some kind of attributation.
> Using the current code it's not possible to have a text value of e.g. '' getting properly stored and displayed
> as exactly these 5 chars.
> (Try it at http://wicketstuff.org/wicket13/compref/?wicket:interface=:0:::: )*/
> This change is given us problems we often use ' ' in our propery files. We use this to show a space or things like it. With updating to 1.4 we see that the code is shown instead of the space.
> If this is not fixed, how can we work around it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-2484) CLONE -Improper HTML escaping for
most wicket components and extensions
Posted by "Juergen Donnerstag (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12759866#action_12759866 ]
Juergen Donnerstag commented on WICKET-2484:
--------------------------------------------
Please provide a more detailed example (testcase or quickstart). Potentially the problem can be solved via UTF-8 encoded properties files which we now support (see http://issues.apache.org/jira/browse/WICKET-2451). XML properties files with encoding are support as well.
> CLONE -Improper HTML escaping for most wicket components and extensions
> -----------------------------------------------------------------------
>
> Key: WICKET-2484
> URL: https://issues.apache.org/jira/browse/WICKET-2484
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.3.0-final
> Environment: Web Browser ... :-)
> Reporter: Frank Klein Koerkamp
> Assignee: Igor Vaynberg
> Fix For: 1.4-RC1
>
>
> /*All text based components use a central function to escape html markup probably contained in the text.
> This is good style but the used method Strings.escapeMarkup() does not fullfill its contract.
> It does NOT escape all input but instead GUESSES and so it does not escape the String "&#" because it assumes
> an entity.
> That means it is not possible to display data which looks like a numeric entity.
> This utility method should not guess about it's input but escape blindly.
> If an entity should be "tunnelled through", there should be some kind of attributation.
> Using the current code it's not possible to have a text value of e.g. '' getting properly stored and displayed
> as exactly these 5 chars.
> (Try it at http://wicketstuff.org/wicket13/compref/?wicket:interface=:0:::: )*/
> This change is given us problems we often use ' ' in our propery files. We use this to show a space or things like it. With updating to 1.4 we see that the code is shown instead of the space.
> If this is not fixed, how can we work around it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (WICKET-2484) CLONE -Improper HTML escaping for
most wicket components and extensions
Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Vaynberg resolved WICKET-2484.
-----------------------------------
Resolution: Won't Fix
no quickstart/testcase
> CLONE -Improper HTML escaping for most wicket components and extensions
> -----------------------------------------------------------------------
>
> Key: WICKET-2484
> URL: https://issues.apache.org/jira/browse/WICKET-2484
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.3.0-final
> Environment: Web Browser ... :-)
> Reporter: Frank Klein Koerkamp
> Assignee: Igor Vaynberg
>
> /*All text based components use a central function to escape html markup probably contained in the text.
> This is good style but the used method Strings.escapeMarkup() does not fullfill its contract.
> It does NOT escape all input but instead GUESSES and so it does not escape the String "&#" because it assumes
> an entity.
> That means it is not possible to display data which looks like a numeric entity.
> This utility method should not guess about it's input but escape blindly.
> If an entity should be "tunnelled through", there should be some kind of attributation.
> Using the current code it's not possible to have a text value of e.g. '' getting properly stored and displayed
> as exactly these 5 chars.
> (Try it at http://wicketstuff.org/wicket13/compref/?wicket:interface=:0:::: )*/
> This change is given us problems we often use ' ' in our propery files. We use this to show a space or things like it. With updating to 1.4 we see that the code is shown instead of the space.
> If this is not fixed, how can we work around it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WICKET-2484) CLONE -Improper HTML escaping for
most wicket components and extensions
Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Vaynberg updated WICKET-2484:
----------------------------------
Fix Version/s: (was: 1.4-RC1)
> CLONE -Improper HTML escaping for most wicket components and extensions
> -----------------------------------------------------------------------
>
> Key: WICKET-2484
> URL: https://issues.apache.org/jira/browse/WICKET-2484
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.3.0-final
> Environment: Web Browser ... :-)
> Reporter: Frank Klein Koerkamp
> Assignee: Igor Vaynberg
>
> /*All text based components use a central function to escape html markup probably contained in the text.
> This is good style but the used method Strings.escapeMarkup() does not fullfill its contract.
> It does NOT escape all input but instead GUESSES and so it does not escape the String "&#" because it assumes
> an entity.
> That means it is not possible to display data which looks like a numeric entity.
> This utility method should not guess about it's input but escape blindly.
> If an entity should be "tunnelled through", there should be some kind of attributation.
> Using the current code it's not possible to have a text value of e.g. '' getting properly stored and displayed
> as exactly these 5 chars.
> (Try it at http://wicketstuff.org/wicket13/compref/?wicket:interface=:0:::: )*/
> This change is given us problems we often use ' ' in our propery files. We use this to show a space or things like it. With updating to 1.4 we see that the code is shown instead of the space.
> If this is not fixed, how can we work around it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.