Author: cbrisson Date: Sun Mar 10 11:54:57 2019 New Revision: 1855144 URL: http://svn.apache.org/viewvc?rev=1855144&view=rev Log: [engine] Deprecate HTML, XML and Javascript EscapeReference event handlers
Modified: velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeHtmlReference.java velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeJavaScriptReference.java velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeXmlReference.java Modified: velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeHtmlReference.java URL: http://svn.apache.org/viewvc/velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeHtmlReference.java?rev=1855144&r1=1855143&r2=1855144&view=diff ============================================================================== --- velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeHtmlReference.java (original) +++ velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeHtmlReference.java Sun Mar 10 11:54:57 2019 @@ -22,12 +22,15 @@ import org.apache.commons.lang3.StringEs */ /** - * Escape all HTML entities. + * <p>Escape all HTML entities.</p> + * <p>Warning: escaping references this way, without knowing if they land inside plain text, inside an attribute value or elsewhere, is not usable in production.</p> * * @see <a href="http://commons.apache.org/proper/commons-lang/javadocs/api-release/org/apache/commons/lang3/StringEscapeUtils.html#escapeHtml4%28java.lang.String%29">StringEscapeUtils</a> * @author wglass * @since 1.5 + * @deprecated impractical use */ +@Deprecated public class EscapeHtmlReference extends EscapeReference { Modified: velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeJavaScriptReference.java URL: http://svn.apache.org/viewvc/velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeJavaScriptReference.java?rev=1855144&r1=1855143&r2=1855144&view=diff ============================================================================== --- velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeJavaScriptReference.java (original) +++ velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeJavaScriptReference.java Sun Mar 10 11:54:57 2019 @@ -22,12 +22,15 @@ import org.apache.commons.lang3.StringEs */ /** - * Escapes the characters in a String to be suitable for use in JavaScript. + * <p>Escapes the characters in a String to be suitable for use in JavaScript.</p> + * <p>Warning: escaping references this way, without knowing if they land inside or outside Javascript simple-quoted or double-quoted strings, is not usable in production.</p> * * @see <a href="http://commons.apache.org/proper/commons-lang/javadocs/api-release/org/apache/commons/lang3/StringEscapeUtils.html#escapeEcmaScript%28java.lang.String%29">StringEscapeUtils</a> * @author wglass * @since 1.5 + * @deprecated impractical use */ +@Deprecated public class EscapeJavaScriptReference extends EscapeReference { Modified: velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeXmlReference.java URL: http://svn.apache.org/viewvc/velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeXmlReference.java?rev=1855144&r1=1855143&r2=1855144&view=diff ============================================================================== --- velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeXmlReference.java (original) +++ velocity/engine/trunk/velocity-engine-core/src/main/java/org/apache/velocity/app/event/implement/EscapeXmlReference.java Sun Mar 10 11:54:57 2019 @@ -22,10 +22,13 @@ import org.apache.commons.lang3.StringEs */ /** - * Escape all XML entities, suitable for placing the output inside an XML (1.0) text node or attribute value. + * <p>Escape all XML entities, suitable for placing the output inside an XML (1.0) text node or attribute value.</p> + * <p>Warning: escaping references this way, without knowing if they land inside plain text, inside an attribute value or elsewhere, is not usable in production.</p> + * * @see <a href="http://jakarta.apache.org/commons/lang/api/org/apache/commons/lang/StringEscapeUtils.html#escapeSql(java.lang.String)">StringEscapeUtils</a> * @author wglass * @since 1.5 + * @deprecated impractical use */ public class EscapeXmlReference extends EscapeReference {