Author: markt Date: Thu Nov 5 13:36:12 2015 New Revision: 1712765 URL: http://svn.apache.org/viewvc?rev=1712765&view=rev Log: Convert the STRICT_QUOTE_ESCAPING system property setting into a per web application setting.
Modified: tomcat/trunk/conf/web.xml tomcat/trunk/java/org/apache/jasper/EmbeddedServletOptions.java tomcat/trunk/java/org/apache/jasper/JspC.java tomcat/trunk/java/org/apache/jasper/Options.java tomcat/trunk/java/org/apache/jasper/compiler/AttributeParser.java tomcat/trunk/java/org/apache/jasper/compiler/Parser.java tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties tomcat/trunk/webapps/docs/jasper-howto.xml Modified: tomcat/trunk/conf/web.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/web.xml?rev=1712765&r1=1712764&r2=1712765&view=diff ============================================================================== --- tomcat/trunk/conf/web.xml (original) +++ tomcat/trunk/conf/web.xml Thu Nov 5 13:36:12 2015 @@ -241,6 +241,14 @@ <!-- --> <!-- xpoweredBy Determines whether X-Powered-By response --> <!-- header is added by generated servlet. [false] --> + <!-- --> + <!-- strictQuoteEscaping When scriptlet expressions are used for --> + <!-- attribute values, should the rules in JSP.1.6 --> + <!-- for the escaping of quote characters be --> + <!-- strictly applied? [true] --> + <!-- The default can be changed with the --> + <!-- org.apache.jasper.compiler.Parser. --> + <!-- STRICT_QUOTE_ESCAPING system property. --> <servlet> <servlet-name>jsp</servlet-name> Modified: tomcat/trunk/java/org/apache/jasper/EmbeddedServletOptions.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/EmbeddedServletOptions.java?rev=1712765&r1=1712764&r2=1712765&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/EmbeddedServletOptions.java (original) +++ tomcat/trunk/java/org/apache/jasper/EmbeddedServletOptions.java Thu Nov 5 13:36:12 2015 @@ -199,6 +199,20 @@ public final class EmbeddedServletOption */ private int jspIdleTimeout = -1; + /** + * System property that controls if the strict quoting rules are applied + * when parsing attribute values that use scriptlet expressions (<%=...%>). + */ + private static final boolean STRICT_QUOTE_ESCAPING_DEFAULT= Boolean.parseBoolean( + System.getProperty( + "org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING", + "true")); + /** + * Should JSP.1.6 be applied strictly to attributes defined using scriptlet + * expressions? + */ + private boolean strictQuoteEscaping = STRICT_QUOTE_ESCAPING_DEFAULT; + public String getProperty(String name ) { return settings.getProperty( name ); } @@ -442,6 +456,11 @@ public final class EmbeddedServletOption return jspIdleTimeout; } + @Override + public boolean getStrictQuoteEscaping() { + return strictQuoteEscaping; + } + /** * Create an EmbeddedServletOptions object using data available from * ServletConfig and ServletContext. @@ -741,6 +760,21 @@ public final class EmbeddedServletOption } } + String strictQuoteEscaping = config.getInitParameter("strictQuoteEscaping"); + if (strictQuoteEscaping != null) { + if (strictQuoteEscaping.equalsIgnoreCase("true")) { + this.strictQuoteEscaping = true; + } else if (strictQuoteEscaping.equalsIgnoreCase("false")) { + this.strictQuoteEscaping = false; + } else { + if (log.isWarnEnabled()) { + log.warn(Localizer.getMessage("jsp.warning.strictQuoteEscaping", + Boolean.toString(STRICT_QUOTE_ESCAPING_DEFAULT))); + } + } + } + + // Setup the global Tag Libraries location cache for this // web-application. tldCache = TldCache.getInstance(context); Modified: tomcat/trunk/java/org/apache/jasper/JspC.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/JspC.java?rev=1712765&r1=1712764&r2=1712765&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/JspC.java (original) +++ tomcat/trunk/java/org/apache/jasper/JspC.java Thu Nov 5 13:36:12 2015 @@ -107,6 +107,15 @@ public class JspC extends Task implement // Logger private static final Log log = LogFactory.getLog(JspC.class); + /** + * System property that controls if the strict quoting rules are applied + * when parsing attribute values that use scriptlet expressions (<%=...%>). + */ + private static final boolean STRICT_QUOTE_ESCAPING_DEFAULT= Boolean.parseBoolean( + System.getProperty( + "org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING", + "true")); + protected static final String SWITCH_VERBOSE = "-v"; protected static final String SWITCH_HELP = "-help"; protected static final String SWITCH_OUTPUT_DIR = "-d"; @@ -137,6 +146,8 @@ public class JspC extends Task implement protected static final String SWITCH_VALIDATE_XML = "-validateXml"; protected static final String SWITCH_BLOCK_EXTERNAL = "-blockExternal"; protected static final String SWITCH_NO_BLOCK_EXTERNAL = "-no-blockExternal"; + protected static final String SWITCH_STRICT_QUOTE_ESCAPING = "-strictQuoteEscaping"; + protected static final String SWITCH_NO_STRICT_QUOTE_ESCAPING = "-no-strictQuoteEscaping"; protected static final String SHOW_SUCCESS ="-s"; protected static final String LIST_ERRORS = "-l"; protected static final int INC_WEBXML = 10; @@ -170,6 +181,7 @@ public class JspC extends Task implement protected boolean validateTld; protected boolean validateXml; protected boolean blockExternal = true; + protected boolean strictQuoteEscaping = STRICT_QUOTE_ESCAPING_DEFAULT; protected boolean xpoweredBy; protected boolean mappedFile = false; protected boolean poolingEnabled = true; @@ -893,6 +905,15 @@ public class JspC extends Task implement return blockExternal; } + public void setStrictQuoteEscaping( boolean b ) { + this.strictQuoteEscaping = b; + } + + @Override + public boolean getStrictQuoteEscaping() { + return strictQuoteEscaping; + } + public void setListErrors( boolean b ) { listErrors = b; } Modified: tomcat/trunk/java/org/apache/jasper/Options.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/Options.java?rev=1712765&r1=1712764&r2=1712765&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/Options.java (original) +++ tomcat/trunk/java/org/apache/jasper/Options.java Thu Nov 5 13:36:12 2015 @@ -231,4 +231,10 @@ public interface Options { * If unset or less or equal than 0, no jsps are unloaded. */ public int getJspIdleTimeout(); + + /** + * @return {@code true} if the quote escaping required by section JSP.1.6 of + * the JSP specification should be applied to scriplet expression. + */ + public boolean getStrictQuoteEscaping(); } Modified: tomcat/trunk/java/org/apache/jasper/compiler/AttributeParser.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/compiler/AttributeParser.java?rev=1712765&r1=1712764&r2=1712765&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/compiler/AttributeParser.java (original) +++ tomcat/trunk/java/org/apache/jasper/compiler/AttributeParser.java Thu Nov 5 13:36:12 2015 @@ -28,12 +28,6 @@ package org.apache.jasper.compiler; */ public class AttributeParser { - /* System property that controls if the strict quoting rules are applied. */ - private static final boolean STRICT_QUOTE_ESCAPING = Boolean.parseBoolean( - System.getProperty( - "org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING", - "true")); - /** * Parses the provided input String as a JSP attribute and returns an * unquoted value. @@ -45,34 +39,13 @@ public class AttributeParser { * where the JSP attribute is defined. * @param isDeferredSyntaxAllowedAsLiteral * Are deferred expressions treated as literals? + * @param strict Should the rules of JSP.1.6 for escpaing quotes be + * strictly applied? * @return An unquoted JSP attribute that, if it contains * expression language can be safely passed to the EL * processor without fear of ambiguity. */ public static String getUnquoted(String input, char quote, - boolean isELIgnored, boolean isDeferredSyntaxAllowedAsLiteral) { - return (new AttributeParser(input, quote, isELIgnored, - isDeferredSyntaxAllowedAsLiteral, - STRICT_QUOTE_ESCAPING)).getUnquoted(); - } - - /** - * Provided solely for unit test purposes and allows per call overriding of - * the STRICT_QUOTE_ESCAPING system property. - * - * @param input The input. - * @param quote The quote character for the attribute or 0 for - * scripting expressions. - * @param isELIgnored Is expression language being ignored on the page - * where the JSP attribute is defined. - * @param isDeferredSyntaxAllowedAsLiteral - * Are deferred expressions treated as literals? - * @param strict The value to use for STRICT_QUOTE_ESCAPING. - * @return An unquoted JSP attribute that, if it contains - * expression language can be safely passed to the EL - * processor without fear of ambiguity. - */ - protected static String getUnquoted(String input, char quote, boolean isELIgnored, boolean isDeferredSyntaxAllowedAsLiteral, boolean strict) { return (new AttributeParser(input, quote, isELIgnored, @@ -92,7 +65,9 @@ public class AttributeParser { /* Are deferred expression treated as literals */ private final boolean isDeferredSyntaxAllowedAsLiteral; - /* Overrides the STRICT_QUOTE_ESCAPING. Used for Unit tests only. */ + /* If a quote appears that matches quote, must it always be escaped? See + * JSP.1.6. + */ private final boolean strict; /* The type ($ or #) of expression. Literals have a type of null. */ Modified: tomcat/trunk/java/org/apache/jasper/compiler/Parser.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/compiler/Parser.java?rev=1712765&r1=1712764&r2=1712765&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/compiler/Parser.java (original) +++ tomcat/trunk/java/org/apache/jasper/compiler/Parser.java Thu Nov 5 13:36:12 2015 @@ -281,7 +281,8 @@ class Parser implements TagConstants { ret = AttributeParser.getUnquoted(reader.getText(start, stop), quote, isElIgnored, - pageInfo.isDeferredSyntaxAllowedAsLiteral()); + pageInfo.isDeferredSyntaxAllowedAsLiteral(), + ctxt.getOptions().getStrictQuoteEscaping()); } catch (IllegalArgumentException iae) { err.jspError(start, iae.getMessage()); } Modified: tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties?rev=1712765&r1=1712764&r2=1712765&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties (original) +++ tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties Thu Nov 5 13:36:12 2015 @@ -123,6 +123,7 @@ jsp.warning.suppressSmap=Warning: Invali jsp.warning.displaySourceFragment=Warning: Invalid value for the initParam displaySourceFragment. Will use the default value of \"true\" jsp.warning.maxLoadedJsps=Warning: Invalid value for the initParam maxLoadedJsps. Will use the default value of \"-1\" jsp.warning.jspIdleTimeout=Warning: Invalid value for the initParam jspIdleTimeout. Will use the default value of \"-1\" +jsp.warning.strictQuoteEscaping=Warning: Invalid value for the initParam strictQuoteEscaping. Will use the default value of \"{0}\" jsp.warning.unknown.element.in.taglib=Unknown element ({0}) in taglib jsp.warning.unknown.element.in.tag=Unknown element ({0}) in tag jsp.warning.unknown.element.in.tagfile=Unknown element ({0}) in tag-file Modified: tomcat/trunk/webapps/docs/jasper-howto.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/jasper-howto.xml?rev=1712765&r1=1712764&r2=1712765&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/jasper-howto.xml (original) +++ tomcat/trunk/webapps/docs/jasper-howto.xml Thu Nov 5 13:36:12 2015 @@ -197,8 +197,14 @@ actions or directives be trimmed ?, defa <li><strong>xpoweredBy</strong> - Determines whether X-Powered-By response header is added by generated servlet. <code>true</code> or <code>false</code>, default <code>false</code>.</li> -</ul> +<li><strong>strictQuoteEscaping</strong> - When scriptlet expressions are used +for attribute values, should the rules in JSP.1.6 for the escaping of quote +characters be strictly applied? <code>true</code> or <code>false</code>, default +<code>true</code> which can be changed with the +<code>org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING</code> system +property.</li> +</ul> <p>The Java compiler from Eclipse JDT in included as the default compiler. It is an advanced Java compiler which will load all dependencies from the Tomcat class --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org