You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Martin Grigorov (JIRA)" <ji...@apache.org> on 2010/12/28 17:46:46 UTC
[jira] Resolved: (WICKET-2829) Tag attributes values are not
escaped properly during writeOutput
[ https://issues.apache.org/jira/browse/WICKET-2829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Grigorov resolved WICKET-2829.
-------------------------------------
Resolution: Won't Fix
I think your suggestion is not correct.
Escaping '&' with '&' breaks URL with query parameters - e.g. href="http://www.example.com?a=b&c=d" (note b&c).
Escaping single quote breaks javascript functions - e.g. onclick="doSomething('parameter')".
Escaping > or < will break pure Javascript - e.g. onblur="if (this.value < 20 || this.value > 50)".
I know XHTML validators don't like it but this is the reality.
> Tag attributes values are not escaped properly during writeOutput
> -----------------------------------------------------------------
>
> Key: WICKET-2829
> URL: https://issues.apache.org/jira/browse/WICKET-2829
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 1.4.7
> Environment: Wicket 1.4.7
> Reporter: Rodrigo Faria
> Priority: Trivial
>
> In WICKET-741, the double quote character was escaped. But the characters: ' (single quote) and & (ampersand) are not escaped.
> With & not escaped, if it is included in an attribute value, the result is not XML compliant and XHTML validations marks it as an error.
> With ' not escaped, if single quote is used instead of double quote as in:
> <tag attribute='value'/>
> The result will be broken just as double quote was before WICKET-741.
> I'm not sure if < and > characters should also be escaped. Some validators/parsers allow them, but some other mark them as errors. I would also replace them.
> I suggest adding the lines marked below to ComponentTag.writeOutput:
> ---
> // attributes without values are possible, e.g.' disabled'
> if (value != null)
> {
> response.write("=\"");
> value = Strings.replaceAll(value, "&", "&"); // <--- added
> value = Strings.replaceAll(value, "\"", """);
> value = Strings.replaceAll(value, "\'", "'"); // <----- added
> value = Strings.replaceAll(value, "<", "<"); // <----- added
> value = Strings.replaceAll(value, ">", ">"); // <----- added
> response.write(value);
> response.write("\"");
> }
> ---
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.