You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Rodrigo Faria (JIRA)" <ji...@apache.org> on 2010/04/08 17:52:36 UTC
[jira] Created: (WICKET-2829) Tag attributes values are not escaped
properly during writeOutput
Tag attributes values are not escaped properly during writeOutput
-----------------------------------------------------------------
Key: WICKET-2829
URL: https://issues.apache.org/jira/browse/WICKET-2829
Project: Wicket
Issue Type: Bug
Components: wicket
Environment: Wicket 1.4.7
Reporter: Rodrigo Faria
In WICKET-741, the double quote character was escaped. But the characters: ' (single quote) and & (ampersand) are not escaped.
With & not escaped, if it is included in an attribute value, the result is not XML compliant and XHTML validations marks it as an error.
With ' not escaped, if single quote is used instead of double quote as in:
<tag attribute='value'/>
The result will be broken just as double quote was before WICKET-741.
I'm not sure if < and > characters should also be escaped. Some validators/parsers allow them, but some other mark them as errors. I would also replace them.
I suggest adding the lines marked below to ComponentTag.writeOutput:
---
// attributes without values are possible, e.g.' disabled'
if (value != null)
{
response.write("=\"");
value = Strings.replaceAll(value, "&", "&"); // <--- added
value = Strings.replaceAll(value, "\"", """);
value = Strings.replaceAll(value, "\'", "'"); // <----- added
value = Strings.replaceAll(value, "<", "<"); // <----- added
value = Strings.replaceAll(value, ">", ">"); // <----- added
response.write(value);
response.write("\"");
}
---
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-2829) Tag attributes values are not
escaped properly during writeOutput
Posted by "Rodrigo Faria (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2829?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12854969#action_12854969 ]
Rodrigo Faria commented on WICKET-2829:
---------------------------------------
I believe XmlTag.toXmlString should also do the same. Note that WICKET-741 did not change it though.
> Tag attributes values are not escaped properly during writeOutput
> -----------------------------------------------------------------
>
> Key: WICKET-2829
> URL: https://issues.apache.org/jira/browse/WICKET-2829
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Environment: Wicket 1.4.7
> Reporter: Rodrigo Faria
>
> In WICKET-741, the double quote character was escaped. But the characters: ' (single quote) and & (ampersand) are not escaped.
> With & not escaped, if it is included in an attribute value, the result is not XML compliant and XHTML validations marks it as an error.
> With ' not escaped, if single quote is used instead of double quote as in:
> <tag attribute='value'/>
> The result will be broken just as double quote was before WICKET-741.
> I'm not sure if < and > characters should also be escaped. Some validators/parsers allow them, but some other mark them as errors. I would also replace them.
> I suggest adding the lines marked below to ComponentTag.writeOutput:
> ---
> // attributes without values are possible, e.g.' disabled'
> if (value != null)
> {
> response.write("=\"");
> value = Strings.replaceAll(value, "&", "&"); // <--- added
> value = Strings.replaceAll(value, "\"", """);
> value = Strings.replaceAll(value, "\'", "'"); // <----- added
> value = Strings.replaceAll(value, "<", "<"); // <----- added
> value = Strings.replaceAll(value, ">", ">"); // <----- added
> response.write(value);
> response.write("\"");
> }
> ---
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-2829) Tag attributes values are not
escaped properly during writeOutput
Posted by "Rodrigo Faria (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2829?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12854968#action_12854968 ]
Rodrigo Faria commented on WICKET-2829:
---------------------------------------
Actually, could just use:
value = Strings.escapeMarkup(value)
instead of all those replaceAll.
> Tag attributes values are not escaped properly during writeOutput
> -----------------------------------------------------------------
>
> Key: WICKET-2829
> URL: https://issues.apache.org/jira/browse/WICKET-2829
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Environment: Wicket 1.4.7
> Reporter: Rodrigo Faria
>
> In WICKET-741, the double quote character was escaped. But the characters: ' (single quote) and & (ampersand) are not escaped.
> With & not escaped, if it is included in an attribute value, the result is not XML compliant and XHTML validations marks it as an error.
> With ' not escaped, if single quote is used instead of double quote as in:
> <tag attribute='value'/>
> The result will be broken just as double quote was before WICKET-741.
> I'm not sure if < and > characters should also be escaped. Some validators/parsers allow them, but some other mark them as errors. I would also replace them.
> I suggest adding the lines marked below to ComponentTag.writeOutput:
> ---
> // attributes without values are possible, e.g.' disabled'
> if (value != null)
> {
> response.write("=\"");
> value = Strings.replaceAll(value, "&", "&"); // <--- added
> value = Strings.replaceAll(value, "\"", """);
> value = Strings.replaceAll(value, "\'", "'"); // <----- added
> value = Strings.replaceAll(value, "<", "<"); // <----- added
> value = Strings.replaceAll(value, ">", ">"); // <----- added
> response.write(value);
> response.write("\"");
> }
> ---
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WICKET-2829) Tag attributes values are not escaped
properly during writeOutput
Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Vaynberg updated WICKET-2829:
----------------------------------
Issue Type: Improvement (was: Bug)
Priority: Trivial (was: Major)
> Tag attributes values are not escaped properly during writeOutput
> -----------------------------------------------------------------
>
> Key: WICKET-2829
> URL: https://issues.apache.org/jira/browse/WICKET-2829
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Environment: Wicket 1.4.7
> Reporter: Rodrigo Faria
> Priority: Trivial
>
> In WICKET-741, the double quote character was escaped. But the characters: ' (single quote) and & (ampersand) are not escaped.
> With & not escaped, if it is included in an attribute value, the result is not XML compliant and XHTML validations marks it as an error.
> With ' not escaped, if single quote is used instead of double quote as in:
> <tag attribute='value'/>
> The result will be broken just as double quote was before WICKET-741.
> I'm not sure if < and > characters should also be escaped. Some validators/parsers allow them, but some other mark them as errors. I would also replace them.
> I suggest adding the lines marked below to ComponentTag.writeOutput:
> ---
> // attributes without values are possible, e.g.' disabled'
> if (value != null)
> {
> response.write("=\"");
> value = Strings.replaceAll(value, "&", "&"); // <--- added
> value = Strings.replaceAll(value, "\"", """);
> value = Strings.replaceAll(value, "\'", "'"); // <----- added
> value = Strings.replaceAll(value, "<", "<"); // <----- added
> value = Strings.replaceAll(value, ">", ">"); // <----- added
> response.write(value);
> response.write("\"");
> }
> ---
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.