[
https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257481#comment-13257481
]
Andrea Del Bene commented on WICKET-4505:
-----------------------------------------
The input for text fields is unescaped by class TagAttributes when it is
inserted inside value="" attribute. Maybe this is done for security reasons?
Anyway, I think TagAttributes should replace any occurrence of character
double-quotes ("') before rendering attribute values. I would modify method
'unescapeHtml(Object value)' like this:
private static final Object unescapeHtml(Object value)
{
if (value instanceof CharSequence)
{
CharSequence unescapedMarkup =
Strings.unescapeMarkup(value.toString());
return Strings.replaceAll(unescapedMarkup, "\"",
"\\\"");
}
else
{
return value;
}
}
> AbstractTextComponent not escaping html data by default therefore user text
> is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is
> not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
