Re: double xmlEscape in dynamic attributes in 7.0.52

Konstantin Kolinko Fri, 14 Mar 2014 13:03:41 -0700

2014-03-14 15:37 GMT+04:00 Zboron Lukas <lzbo...@gratex.com>:
> Hi,
> I have several custom jspx tags with dynamic attributes that worked well up
> to Tomcat 7.0.47, but they do not work properly on Tomcat 7.0.52. Same
> problems occur also when using Spring form tags (I suspect that other
> libraries would have same problem, but I didn't test them).
>
> sample (data-test[2] is dynamic attribute, onclick is static):
> <c:set var="world" value="'World'"></c:set>
> <sf:form onclick="window.alert('Hello ${world}!')"
>         data-test="window.alert('Hello ${world}!')"
>         data-test2="window.alert('Hello World!')"
> tomcat 7.0.47 output:
> <form onclick="window.alert(&#39;Hello &#39;World&#39;!&#39;)"
>         data-test="window.alert(&#39;Hello &#39;World&#39;!&#39;)"
>         data-test2="window.alert(&#39;Hello World!&#39;)"
> tomcat 7.0.52 output:
> <form onclick="window.alert(&#39;Hello &#39;World&#39;!&#39;)"
>         data-test="window.alert(&amp;#039;Hello &#39;World&#39;!&amp;#039;)"
>         data-test2="window.alert(&#39;Hello World!&#39;)"
>
> If there is EL used in dynamic attribute (data-test), non-EL part of that
> attribute is escaped twice, EL part is escaped only once. Tomcat 7.0.47
> would escape everything just once.
> Everything works as before if static attribute is used (onclick) or there is
> no EL in dynamic attribute (data-test2).
>


I prepared a reproducer and filed the following issue:
https://issues.apache.org/bugzilla/show_bug.cgi?id=56265

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: double xmlEscape in dynamic attributes in 7.0.52

Reply via email to