Hello Yasser,
Sorry for the late reply! I have been on vacation and needed some time to go
through all the mails that have piled up :-)
> Am 27.02.2017 um 15:38 schrieb Yasser Zamani <yasser.zam...@live.com>:
>
> Hi there,
>
> I just wonder why `StringEscapeUtils.escapeEcmaScript` also includes
> `JavaUnicodeEscaper`? is it it's business really? the problem is when we
> use it to prevent script injection by user, it also replaces user
> input's unicodes with "\u"s which is not deducted with
> `escapeEcmaScript' term.
StringEscapeUtils contains general String escaping routines. It does not focus
on business related escaping (how would you draw that line anyway?).
escapeEcmaScript just escapes the characters in a String using EcmaScript
String rules.
Can you please provide a failing test case showing the problem you see?
>
> Another thing is, it replaces e.g. '<' with '<' (html/xml escape) but
> replace unicode with '\u....' rather than '&#‘?
I fail to understand the problem here. The following test is green:
@Test
public void testEscape() throws Exception {
assertEquals("< >", StringEscapeUtils.escapeEcmaScript("< >"));
}
So „<" and „>“ are not escaped by escapeEcmaScript..
>
> And finally just for a curious, why `ESCAPE_ECMASCRIPT` does not include
> `OctalUnescaper` but `UNESCAPE_ECMASCRIPT = UNESCAPE_JAVA` does?
Again it is because it just escapes according to EcmaScript escaping rules.
Hope that helps!
Regards,
Benedikt
>
> Thanks in advance!
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
