[
https://issues.apache.org/struts/browse/SHALE-488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=44089#action_44089
]
Sorina Grave commented on SHALE-488:
------------------------------------
I agree that the output of JavaScript to the HtmlWriter should be enclosed
within a CDATA section for XHTML because the validation for XHTML 1.0
Transitional fails when JavaScript contains charactes such as "<" or"--".
The problem is actually down to the detection of XHTMLContentType in
HtmlRenderUtils - the list of current content types is checked against the
following supported list:
String[] supportedContentTypeArray = new String[]{HTML_CONTENT_TYPE,
ANY_CONTENT_TYPE,XHTML_CONTENT_TYPE, APPLICATION_XML_CONTENT_TYPE,
TEXT_XML_CONTENT_TYPE};
Since the first check and the first element in the list are HTML, the value of
_contentType will be always be set to HTML_CONTENT_TYPE (See selectContentType
from HtmlRenderUtils.java).
Another problem is that "isAllowedCdataSection" method is also called together
with isXHTMLContentType:
I have tried adding to web.xml the the entry corresponding to
ALLOW_CDATA_SECTION_ON ("org.apache.myfaces.ResponseWriter.CdataSectionOn") but
it didn't make any difference. Any ideas on how this setting should be used?
this section:
if(isScriptOrStyle())
{
if(HtmlRendererUtils.isXHTMLContentType(_contentType))
{
if(HtmlRendererUtils.isAllowedCdataSection(FacesContext.getCurrentInstance()))
{
_writer.write(CDATA_START);
}
}
else
{
_writer.write(COMMENT_START);
}
}
should be replaced by something like this (The decision to write either CDATA
section or HTML comment should be made based on Doctype declared at the top of
the page)
if(isScriptOrStyle())
{
if(HtmlRendererUtils.isXHTMLDocType(pageContext))
{
_writer.write(CDATA_START);
}
else
{
_writer.write(COMMENT_START);
}
}
I can actually see the value of writer's buffer (after it has appended
PageContext) and in my case, this contains:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
The document type should be determined by parsing the buffer and it should be
used used to decide whether to write CDATA_START or COMMENT_START.
> Script contents should be enclosed in CDATA section for XML documents
> ---------------------------------------------------------------------
>
> Key: SHALE-488
> URL: https://issues.apache.org/struts/browse/SHALE-488
> Project: Shale
> Issue Type: Improvement
> Components: Validator
> Affects Versions: 1.0.4
> Environment: XML content types, including XHTML
> Reporter: Jeff Tsay
>
> When the validator script gets rendered, it outputs raw Javascript inside the
> <script>
> tags. The Javascript includes characters like & which need to be escaped
> or in a CDATA section in XML. For XUL or XHTML, this is a problem. I
> guess that XHTML parsers are more lenient about this so that's why the
> problem never showed up? Anyway the fix, which was also suggested by
> Gary VanMatre, was to enclose the script contents in an XML CDATA
> section. So in
> src/main/java/org/apache/shale/validator/faces/ValidatorScript.java I have:
> private void writeScriptStart(ResponseWriter writer) throws IOException {
> writer.startElement("script", this);
> writer.writeAttribute("type", "text/javascript", null);
> writer.writeAttribute("language", "Javascript1.1", null);
> writer.write("\n");
>
> // jtsay added
> // Enclose XML in CDATA so special characters can be used without
> escaping.
> if (!"text/html".equals(writer.getContentType())) {
> writer.write("<![CDATA[\n");
> }
> }
> and
> private void writeScriptEnd(ResponseWriter writer) throws IOException {
> // jtsay added
> if (!"text/html".equals(writer.getContentType())) {
> writer.write("\n]]>\n");
> }
>
> writer.write("\n");
> writer.endElement("script");
> }
> This assumes if we are not rendering text/html, we must be rendering
> some sort of XML. Sound reasonable?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
