Tag attributes values are not escaped properly during writeOutput
-----------------------------------------------------------------
Key: WICKET-2829
URL: https://issues.apache.org/jira/browse/WICKET-2829
Project: Wicket
Issue Type: Bug
Components: wicket
Environment: Wicket 1.4.7
Reporter: Rodrigo Faria
In WICKET-741, the double quote character was escaped. But the characters: '
(single quote) and & (ampersand) are not escaped.
With & not escaped, if it is included in an attribute value, the result is not
XML compliant and XHTML validations marks it as an error.
With ' not escaped, if single quote is used instead of double quote as in:
<tag attribute='value'/>
The result will be broken just as double quote was before WICKET-741.
I'm not sure if < and > characters should also be escaped. Some
validators/parsers allow them, but some other mark them as errors. I would also
replace them.
I suggest adding the lines marked below to ComponentTag.writeOutput:
---
// attributes without values are possible, e.g.' disabled'
if (value != null)
{
response.write("=\"");
value = Strings.replaceAll(value, "&", "&"); // <--- added
value = Strings.replaceAll(value, "\"", """);
value = Strings.replaceAll(value, "\'", "'"); // <----- added
value = Strings.replaceAll(value, "<", "<"); // <----- added
value = Strings.replaceAll(value, ">", ">"); // <----- added
response.write(value);
response.write("\"");
}
---
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
