CLONE -Improper HTML escaping for most wicket components and extensions
-----------------------------------------------------------------------
Key: WICKET-2484
URL: https://issues.apache.org/jira/browse/WICKET-2484
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 1.3.0-final
Environment: Web Browser ... :-)
Reporter: Frank Klein Koerkamp
Assignee: Igor Vaynberg
Fix For: 1.4-RC1
All text based components use a central function to escape html markup probably
contained in the text.
This is good style but the used method Strings.escapeMarkup() does not fullfill
its contract.
It does NOT escape all input but instead GUESSES and so it does not escape the
String "&#" because it assumes
an entity.
That means it is not possible to display data which looks like a numeric entity.
This utility method should not guess about it's input but escape blindly.
If an entity should be "tunnelled through", there should be some kind of
attributation.
Using the current code it's not possible to have a text value of e.g. ''
getting properly stored and displayed
as exactly these 5 chars.
(Try it at http://wicketstuff.org/wicket13/compref/?wicket:interface=:0:::: )
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
