[
https://issues.apache.org/jira/browse/WICKET-1311?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carsten updated WICKET-1311:
----------------------------
Description:
All text based components use a central function to escape html markup probably
contained in the text.
This is good style but the used method Strings.escapeMarkup() does not fullfill
its contract.
It does NOT escape all input but instead GUESSES and so it does not escape the
String "&#" because it assumes
an entity.
That means it is not possible to display data which looks like a numeric entity.
This utility method should not guess about it's input but escape blindly.
If an entity should be "tunnelled through", there should be some kind of
attributation.
Using the current code it's not possible to have a text value of e.g. ''
getting properly stored and displayed
as exactly these 5 chars.
(Try it at http://wicketstuff.org/wicket13/compref/?wicket:interface=:0:::: )
was:
The method Strings.escapeMarkup() does not fullfill its contract.
It does NOT escape all input but instead GUESSES and so it does not escape the
String "&#" because it assumes
an entity.
This message should not guess about it's input but escape blindly.
If an entity hould be "tunnelled through", there should be some kind of
attributation.
Using the current code it's not possible to have a text value of e.g. ''
getting properly displayed
as exactly these 5 chars.
(Try it at http://wicketstuff.org/wicket13/compref/?wicket:interface=:0::::)
Summary: Improper HTML escaping for most wicket components and
extensions (was: Improperly HTML escaping)
> Improper HTML escaping for most wicket components and extensions
> ----------------------------------------------------------------
>
> Key: WICKET-1311
> URL: https://issues.apache.org/jira/browse/WICKET-1311
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.3.0-final
> Environment: Web Browser ... :-)
> Reporter: Carsten
>
> All text based components use a central function to escape html markup
> probably contained in the text.
> This is good style but the used method Strings.escapeMarkup() does not
> fullfill its contract.
> It does NOT escape all input but instead GUESSES and so it does not escape
> the String "&#" because it assumes
> an entity.
> That means it is not possible to display data which looks like a numeric
> entity.
> This utility method should not guess about it's input but escape blindly.
> If an entity should be "tunnelled through", there should be some kind of
> attributation.
> Using the current code it's not possible to have a text value of e.g. ''
> getting properly stored and displayed
> as exactly these 5 chars.
> (Try it at http://wicketstuff.org/wicket13/compref/?wicket:interface=:0:::: )
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
