2014-03-14 18:35 GMT+04:00 Mark Thomas <ma...@apache.org>: > On 14/03/2014 11:57, Konstantin Kolinko wrote: >> 2014-03-14 15:37 GMT+04:00 Zboron Lukas <lzbo...@gratex.com>: >>> Hi, >>> I have several custom jspx tags with dynamic attributes that worked well up >>> to Tomcat 7.0.47, but they do not work properly on Tomcat 7.0.52. Same >>> problems occur also when using Spring form tags (I suspect that other >>> libraries would have same problem, but I didn't test them). >>> >>> sample (data-test[2] is dynamic attribute, onclick is static): >>> <c:set var="world" value="'World'"></c:set> >>> <sf:form onclick="window.alert('Hello ${world}!')" >>> data-test="window.alert('Hello ${world}!')" >>> data-test2="window.alert('Hello World!')" >>> tomcat 7.0.47 output: >>> <form onclick="window.alert('Hello 'World'!')" >>> data-test="window.alert('Hello 'World'!')" >>> data-test2="window.alert('Hello World!')" >>> tomcat 7.0.52 output: >>> <form onclick="window.alert('Hello 'World'!')" >>> data-test="window.alert(&#039;Hello 'World'!&#039;)" >>> data-test2="window.alert('Hello World!')" >>> >>> If there is EL used in dynamic attribute (data-test), non-EL part of that >>> attribute is escaped twice, EL part is escaped only once. Tomcat 7.0.47 >>> would escape everything just once. >>> Everything works as before if static attribute is used (onclick) or there is >>> no EL in dynamic attribute (data-test2). >>> >>> I strongly suspect, that this is caused by this fix: >>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55735, but I don't >>> understand why using EL should cause double escaping of the rest of >>> attribute value. Is it bug? >>> >> >> It looks like a bug. >> >> Please file an issue in Bugzilla. >> It would be nice if you can attach a simple reproducing web application to >> it. > > It would also help if we could see the source for sf:form or a > simplified version of if that demonstrates the problem. >
Apparently this is about <form:form> tag from Spring Framework "form" tags. Those are in spring-webmvc-4.0.2.RELEASE.jar META-INF/spring-form.tld defines the tag as [[[ <?xml version="1.0" encoding="UTF-8"?> <taglib xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd" version="2.0"> <description>Spring Framework JSP Form Tag Library</description> <tlib-version>4.0</tlib-version> <short-name>form</short-name> <uri>http://www.springframework.org/tags/form</uri> <tag> <description>Renders an HTML 'form' tag and exposes a binding path to inner tags for binding.</description> <name>form</name> <tag-class>org.springframework.web.servlet.tags.form.FormTag</tag-class> <body-content>JSP</body-content> <attribute> <description>HTML Standard Attribute</description> <name>id</name> <required>false</required> <rtexprvalue>true</rtexprvalue> </attribute> (..skipping a lot of attributes) <dynamic-attributes>true</dynamic-attributes> </tag> and with <dynamic-attributes> it allows to pass any random user-created attribute there. Printing those dynamic attributes looks like the following: in \org\springframework\web\servlet\tags\form\AbstractHtmlElementTag.java if (!CollectionUtils.isEmpty(this.dynamicAttributes)) { for (String attr : this.dynamicAttributes.keySet()) { tagWriter.writeOptionalAttributeValue(attr, getDisplayString(this.dynamicAttributes.get(attr))); } } Links: https://github.com/spring-projects/spring-framework https://repo.spring.io/libs-release-local/org/springframework/spring/4.0.2.RELEASE/ https://github.com/spring-projects/spring-framework/blob/master/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/AbstractHtmlElementTag.java Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org