[jira] Updated: (WICKET-2829) Tag attributes values are not escaped properly during writeOutput

Tue, 28 Dec 2010 10:33:11 -0800 

     [ 
https://issues.apache.org/jira/browse/WICKET-2829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Attila Király updated WICKET-2829:
----------------------------------

    Attachment: a.html

> Escaping '&' with '&' breaks URL with query parameters - e.g.
> href="http://www.example.com?a=b&c=d"; (note b&c).
> Escaping single quote breaks javascript functions - e.g.
> onclick="doSomething('parameter')".
> Escaping > or < will break pure Javascript - e.g.
> onblur="if (this.value < 20 || this.value > 50)".

No they will not break. Browsers first decode the encoded characters before 
passing them around to the js engine or as url. This is true for both xhtml and 
standard html.

For an example see the attached html.

> Tag attributes values are not escaped properly during writeOutput
> -----------------------------------------------------------------
>
>                 Key: WICKET-2829
>                 URL: https://issues.apache.org/jira/browse/WICKET-2829
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 1.4.7
>         Environment: Wicket 1.4.7
>            Reporter: Rodrigo Faria
>            Priority: Trivial
>         Attachments: a.html
>
>
> In WICKET-741, the double quote character was escaped. But the characters: ' 
> (single quote) and & (ampersand) are not escaped.
> With & not escaped, if it is included in an attribute value, the result is 
> not XML compliant and XHTML validations marks it as an error.
> With ' not escaped, if single quote is used instead of double quote as in:
> <tag attribute='value'/>
> The result will be broken just as double quote was before WICKET-741.
> I'm not sure if < and > characters should also be escaped. Some 
> validators/parsers allow them, but some other mark them as errors. I would 
> also replace them.
> I suggest adding the lines marked below to ComponentTag.writeOutput:
> ---
> // attributes without values are possible, e.g.' disabled'
> if (value != null)
> {
>       response.write("=\"");
>       value = Strings.replaceAll(value, "&", "&amp;");   // <--- added
>       value = Strings.replaceAll(value, "\"", "&#34;");
>       value = Strings.replaceAll(value, "\'", "&#39;");   // <----- added
>       value = Strings.replaceAll(value, "<", "&lt;");   // <----- added
>       value = Strings.replaceAll(value, ">", "&gt;");   // <----- added
>       response.write(value);
>       response.write("\"");
> }
> ---

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to