You might try wrapping the script in a CDATA before trying to escape the JS.
<![CDATA[ <script> </script> ]]> -------------- Original message ---------------------- From: Jeff Tsay <[EMAIL PROTECTED]> > Hi, > > I'm trying to use Shale validator with xulfaces. (XUL is a user > interface language that is a type of XML) The first problem I'm having > is that > > <val:validatorScript functionName="validateForm"/> > is encoded as follows: > > <script type="text/javascript" language="Javascript1.1"> > function _required() { > this[0] = new Array("j_id_id32", "null is required.", new Function("x", > "return > {}[x];")); > } > var bCancel = false; > function validateForm(form) { > var bValid = true; > var sFormName = jcv_retrieveFormName(form); > if ((bValid && !bCancel && ("" == sFormName))) { > bValid = (validateRequired(form)); > > } > return bValid; > } > > ... > > > Note the &&. When I load this page in Firefox, it complains that && is > not valid XML, which it is not. It should be escaped to &&. I > guess because HTML browsers allow special characters like & in side > <script> tags, this problem wasn't caught previously. I guess if the > script appeared in an XHTML document, and a browser was strict, this > problem could show up too. > > So I was trying to fix this problem and looking at > org.apache.shale.validator.faces.ValidatorScript.writeValidationFunctions(). > It looks like the script text is written here with > ResponseWriter.write(). The problem is ResponseWrite.write() doesn't > escape the characters as ResponseWriter.writeText() does. However, > writeText() won't work since it closes any open tags (in this case > <script>). So we need to escape ourselves. The trouble is, how do we > know how to escape the characters? I was thinking of using > org.apache.commons.lang.StringEscapeUtils.escapeXml() and escapeHtml(), > but how can we determine what the content type we are outputting is? If > we knew, I guess we could then create a WrappedResponseWriter that > overloads write(String) ... > > Thanks, > > Jeff