Re: double xmlEscape in dynamic attributes in 7.0.52

Konstantin Kolinko Fri, 14 Mar 2014 04:59:29 -0700

2014-03-14 15:37 GMT+04:00 Zboron Lukas <lzbo...@gratex.com>:
> Hi,
> I have several custom jspx tags with dynamic attributes that worked well up
> to Tomcat 7.0.47, but they do not work properly on Tomcat 7.0.52. Same
> problems occur also when using Spring form tags (I suspect that other
> libraries would have same problem, but I didn't test them).
>
> sample (data-test[2] is dynamic attribute, onclick is static):
> <c:set var="world" value="'World'"></c:set>
> <sf:form onclick="window.alert('Hello ${world}!')"
>         data-test="window.alert('Hello ${world}!')"
>         data-test2="window.alert('Hello World!')"
> tomcat 7.0.47 output:
> <form onclick="window.alert(&#39;Hello &#39;World&#39;!&#39;)"
>         data-test="window.alert(&#39;Hello &#39;World&#39;!&#39;)"
>         data-test2="window.alert(&#39;Hello World!&#39;)"
> tomcat 7.0.52 output:
> <form onclick="window.alert(&#39;Hello &#39;World&#39;!&#39;)"
>         data-test="window.alert(&amp;#039;Hello &#39;World&#39;!&amp;#039;)"
>         data-test2="window.alert(&#39;Hello World!&#39;)"
>
> If there is EL used in dynamic attribute (data-test), non-EL part of that
> attribute is escaped twice, EL part is escaped only once. Tomcat 7.0.47
> would escape everything just once.
> Everything works as before if static attribute is used (onclick) or there is
> no EL in dynamic attribute (data-test2).
>
> I strongly suspect, that this is caused by this fix:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=55735, but I don't
> understand why using EL should cause double escaping of the rest of
> attribute value. Is it bug?
>


It looks like a bug.

Please file an issue in Bugzilla.
It would be nice if you can attach a simple reproducing web application to it.


It was a long battle spawning 7.0.47-7.0.50-7.0.52, but I wonder why
there are still issues with it. I hoped that it was solved with
7.0.52.
http://issues.apache.org/bugzilla/show_bug.cgi?id=56029
http://issues.apache.org/bugzilla/show_bug.cgi?id=55735
http://issues.apache.org/bugzilla/show_bug.cgi?id=55198

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: double xmlEscape in dynamic attributes in 7.0.52

Reply via email to