[
https://issues.apache.org/jira/browse/WICKET-2829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Igor Vaynberg updated WICKET-2829:
----------------------------------
Issue Type: Improvement (was: Bug)
Priority: Trivial (was: Major)
> Tag attributes values are not escaped properly during writeOutput
> -----------------------------------------------------------------
>
> Key: WICKET-2829
> URL: https://issues.apache.org/jira/browse/WICKET-2829
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Environment: Wicket 1.4.7
> Reporter: Rodrigo Faria
> Priority: Trivial
>
> In WICKET-741, the double quote character was escaped. But the characters: '
> (single quote) and & (ampersand) are not escaped.
> With & not escaped, if it is included in an attribute value, the result is
> not XML compliant and XHTML validations marks it as an error.
> With ' not escaped, if single quote is used instead of double quote as in:
> <tag attribute='value'/>
> The result will be broken just as double quote was before WICKET-741.
> I'm not sure if < and > characters should also be escaped. Some
> validators/parsers allow them, but some other mark them as errors. I would
> also replace them.
> I suggest adding the lines marked below to ComponentTag.writeOutput:
> ---
> // attributes without values are possible, e.g.' disabled'
> if (value != null)
> {
> response.write("=\"");
> value = Strings.replaceAll(value, "&", "&"); // <--- added
> value = Strings.replaceAll(value, "\"", """);
> value = Strings.replaceAll(value, "\'", "'"); // <----- added
> value = Strings.replaceAll(value, "<", "<"); // <----- added
> value = Strings.replaceAll(value, ">", ">"); // <----- added
> response.write(value);
> response.write("\"");
> }
> ---
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
