You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Martin Grigorov (JIRA)" <ji...@apache.org> on 2010/12/28 17:46:46 UTC

[jira] Resolved: (WICKET-2829) Tag attributes values are not escaped properly during writeOutput

     [ https://issues.apache.org/jira/browse/WICKET-2829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin Grigorov resolved WICKET-2829.
-------------------------------------

    Resolution: Won't Fix

I think your suggestion is not correct.
Escaping '&' with '&amp;' breaks URL with query parameters - e.g. href="http://www.example.com?a=b&c=d" (note b&c).  
Escaping single quote breaks javascript functions - e.g. onclick="doSomething('parameter')".
Escaping > or < will break pure Javascript - e.g. onblur="if (this.value < 20 || this.value > 50)".

I know XHTML validators don't like it but this is the reality.

> Tag attributes values are not escaped properly during writeOutput
> -----------------------------------------------------------------
>
>                 Key: WICKET-2829
>                 URL: https://issues.apache.org/jira/browse/WICKET-2829
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 1.4.7
>         Environment: Wicket 1.4.7
>            Reporter: Rodrigo Faria
>            Priority: Trivial
>
> In WICKET-741, the double quote character was escaped. But the characters: ' (single quote) and & (ampersand) are not escaped.
> With & not escaped, if it is included in an attribute value, the result is not XML compliant and XHTML validations marks it as an error.
> With ' not escaped, if single quote is used instead of double quote as in:
> <tag attribute='value'/>
> The result will be broken just as double quote was before WICKET-741.
> I'm not sure if < and > characters should also be escaped. Some validators/parsers allow them, but some other mark them as errors. I would also replace them.
> I suggest adding the lines marked below to ComponentTag.writeOutput:
> ---
> // attributes without values are possible, e.g.' disabled'
> if (value != null)
> {
> 	response.write("=\"");
> 	value = Strings.replaceAll(value, "&", "&amp;");   // <--- added
> 	value = Strings.replaceAll(value, "\"", "&#34;");
> 	value = Strings.replaceAll(value, "\'", "&#39;");   // <----- added
> 	value = Strings.replaceAll(value, "<", "&lt;");   // <----- added
> 	value = Strings.replaceAll(value, ">", "&gt;");   // <----- added
> 	response.write(value);
> 	response.write("\"");
> }
> ---

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.