2014-03-14 18:35 GMT+04:00 Mark Thomas <ma...@apache.org>:
> On 14/03/2014 11:57, Konstantin Kolinko wrote:
>> 2014-03-14 15:37 GMT+04:00 Zboron Lukas <lzbo...@gratex.com>:
>>> Hi,
>>> I have several custom jspx tags with dynamic attributes that worked well up
>>> to Tomcat 7.0.47, but they do not work properly on Tomcat 7.0.52. Same
>>> problems occur also when using Spring form tags (I suspect that other
>>> libraries would have same problem, but I didn't test them).
>>>
>>> sample (data-test[2] is dynamic attribute, onclick is static):
>>> <c:set var="world" value="'World'"></c:set>
>>> <sf:form onclick="window.alert('Hello ${world}!')"
>>> data-test="window.alert('Hello ${world}!')"
>>> data-test2="window.alert('Hello World!')"
>>> tomcat 7.0.47 output:
>>> <form onclick="window.alert('Hello 'World'!')"
>>> data-test="window.alert('Hello 'World'!')"
>>> data-test2="window.alert('Hello World!')"
>>> tomcat 7.0.52 output:
>>> <form onclick="window.alert('Hello 'World'!')"
>>> data-test="window.alert(&#039;Hello 'World'!&#039;)"
>>> data-test2="window.alert('Hello World!')"
>>>
>>> If there is EL used in dynamic attribute (data-test), non-EL part of that
>>> attribute is escaped twice, EL part is escaped only once. Tomcat 7.0.47
>>> would escape everything just once.
>>> Everything works as before if static attribute is used (onclick) or there is
>>> no EL in dynamic attribute (data-test2).
>>>
>>> I strongly suspect, that this is caused by this fix:
>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55735, but I don't
>>> understand why using EL should cause double escaping of the rest of
>>> attribute value. Is it bug?
>>>
>>
>> It looks like a bug.
>>
>> Please file an issue in Bugzilla.
>> It would be nice if you can attach a simple reproducing web application to
>> it.
>
> It would also help if we could see the source for sf:form or a
> simplified version of if that demonstrates the problem.
>
Apparently this is about <form:form> tag from Spring Framework "form" tags.
Those are in spring-webmvc-4.0.2.RELEASE.jar
META-INF/spring-form.tld defines the tag as
[[[
<?xml version="1.0" encoding="UTF-8"?>
<taglib xmlns="http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd";
version="2.0">
<description>Spring Framework JSP Form Tag Library</description>
<tlib-version>4.0</tlib-version>
<short-name>form</short-name>
<uri>http://www.springframework.org/tags/form</uri>
<tag>
<description>Renders an HTML 'form' tag and exposes a binding
path to inner tags for binding.</description>
<name>form</name>
<tag-class>org.springframework.web.servlet.tags.form.FormTag</tag-class>
<body-content>JSP</body-content>
<attribute>
<description>HTML Standard Attribute</description>
<name>id</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
(..skipping a lot of attributes)
<dynamic-attributes>true</dynamic-attributes>
</tag>
and with <dynamic-attributes> it allows to pass any random
user-created attribute there.
Printing those dynamic attributes looks like the following:
in \org\springframework\web\servlet\tags\form\AbstractHtmlElementTag.java
if (!CollectionUtils.isEmpty(this.dynamicAttributes)) {
for (String attr : this.dynamicAttributes.keySet()) {
tagWriter.writeOptionalAttributeValue(attr,
getDisplayString(this.dynamicAttributes.get(attr)));
}
}
Links:
https://github.com/spring-projects/spring-framework
https://repo.spring.io/libs-release-local/org/springframework/spring/4.0.2.RELEASE/
https://github.com/spring-projects/spring-framework/blob/master/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/AbstractHtmlElementTag.java
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
