Author: nbubna
Date: Tue Oct 18 16:03:47 2005
New Revision: 326291
URL: http://svn.apache.org/viewcvs?rev=326291&view=rev
Log:
escape javascript in var values properly (thx to Christopher Schultz for the
fix. see JIRA issue VELTOOLS-52)
Modified:
jakarta/velocity/tools/trunk/src/java/org/apache/velocity/tools/struts/ValidatorTool.java
Modified:
jakarta/velocity/tools/trunk/src/java/org/apache/velocity/tools/struts/ValidatorTool.java
URL:
http://svn.apache.org/viewcvs/jakarta/velocity/tools/trunk/src/java/org/apache/velocity/tools/struts/ValidatorTool.java?rev=326291&r1=326290&r2=326291&view=diff
==============================================================================
---
jakarta/velocity/tools/trunk/src/java/org/apache/velocity/tools/struts/ValidatorTool.java
(original)
+++
jakarta/velocity/tools/trunk/src/java/org/apache/velocity/tools/struts/ValidatorTool.java
Tue Oct 18 16:03:47 2005
@@ -513,9 +513,9 @@
results.append(" this.a");
results.append(jscriptVar++);
results.append(" = new Array(\"");
- results.append(field.getKey());
+ results.append(field.getKey()); // TODO: escape?
results.append("\", \"");
- results.append(escapeQuotes(message));
+ results.append(escapeJavascript(message));
results.append("\", ");
results.append("new Function (\"varName\", \"");
@@ -524,7 +524,7 @@
Iterator varsIterator = vars.keySet().iterator();
while (varsIterator.hasNext())
{
- String varName = (String)varsIterator.next();
+ String varName = (String)varsIterator.next(); // TODO:
escape?
Var var = (Var)vars.get(varName);
String varValue = var.getValue();
String jsType = var.getJsType();
@@ -539,8 +539,7 @@
results.append("this.");
results.append(varName);
- String escapedVarValue =
- ValidatorUtils.replace(varValue, "\\", "\\\\");
+ String escapedVarValue = escapeJavascript(varValue);
if (Var.JSTYPE_INT.equalsIgnoreCase(jsType))
{
@@ -583,26 +582,48 @@
}
- private String escapeQuotes(String in)
+ /**
+ * <p>Backslash-escapes the following characters from the input string:
+ * ", ', \, \r, \n.</p>
+ *
+ * <p>This method escapes characters that will result in an invalid
+ * Javascript statement within the validator Javascript.</p>
+ *
+ * @param str The string to escape.
+ * @return The string <code>s</code> with each instance of a double quote,
+ * single quote, backslash, carriage-return, or line feed escaped
+ * with a leading backslash.
+ * @since VelocityTools 1.2
+ */
+ protected String escapeJavascript(String str)
{
- if (in == null || in.indexOf("\"") == -1)
+ if (str == null)
{
- return in;
+ return null;
+ }
+ int length = str.length();
+ if (length == 0)
+ {
+ return str;
}
- StringBuffer buffer = new StringBuffer();
- StringTokenizer tokenizer = new StringTokenizer(in, "\"", true);
- while (tokenizer.hasMoreTokens())
+ // guess at how many chars we'll be adding...
+ StringBuffer out = new StringBuffer(length + 4);
+ // run through the string escaping sensitive chars
+ for (int i=0; i < length; i++)
{
- String token = tokenizer.nextToken();
- if (token.equals("\""))
+ char c = str.charAt(i);
+ if (c == '"' ||
+ c == '\'' ||
+ c == '\\' ||
+ c == '\n' ||
+ c == '\r')
{
- buffer.append("\\");
+ out.append('\\');
}
- buffer.append(token);
+ out.append(c);
}
-
- return buffer.toString();
+ return out.toString();
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
