StringEscapeUtils.escapeHTML() does not escape chars (0x00-0x20)
----------------------------------------------------------------

                 Key: LANG-439
                 URL: https://issues.apache.org/jira/browse/LANG-439
             Project: Commons Lang
          Issue Type: Bug
    Affects Versions: 2.4
         Environment: java5
            Reporter: Pavel Sivolobtchik
             Fix For: 2.4


I encountered this problem when I sent html from the server to a client using 
AjaxRequest. HTML was escaped wrapped in CDATA. I thought it was pretty safe. 
See my xml fragment below:
//------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<ajax-fragment>
<html-rows>
<![CDATA[
<div style="padding-left: 1px;" class="columnContent4  column4">
<span  column-id="Message"  class="cellContent"  
onmouseover="w12450823.onDwell(event); 
w12450823.onCellSelectionOnMouseOver(event);"  
onclick="w12450823.onCellSelectionOnClick(event)"  >May 29 10:48:29 rdia643 su: 
- 2 nitroqa-nss</span></div>
]]>
</html-rows>
</ajax-fragment>
//------------------------------------------------------------------------------------------
However in FF2 there was js error:
//--------------------------------------------------------------------------------------------
 
Error: not well-formed
Source Code:
<span  column-id="Message"  class="cellContent "  
onmouseover="w12450823.onDwell(event); 
w12450823.onCellSelectionOnMouseOver(event); " 
onclick="w12450823.onCellSelectionOnClick(event)"  >May 29 10:48:29 rdia643 su: 
- 2 nitroqa-nss</span></div
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------^
I figured out that StringEscapeUtils.escapeHTML() did not escape one of the 
characters. it was a '\b'(ascii 8).
I had to change to org.apache.commons.lang.Entities.excape() method:
public void escape(Writer writer, String str) throws IOException {
        int len = str.length();
        for (int i = 0; i < len; i++) {
                char c = str.charAt(i);
                String entityName = this.entityName(c);
                if (entityName == null) {
                        if (c < 0x20 || c > 0x7F) {
                                writer.write("&#");
                                writer.write(Integer.toString(c, 10));
                                writer.write(';');
                        }
                        else {
                                writer.write(c);
                        }
                }
                else {
                        writer.write('&');
                        writer.write(entityName);
                        writer.write(';');
                }
        }
}

//---------------------------------------------------------------------------------------
It can be tested with unittest:
assertEquals("abc&#8;", StringEscapeUtils.escapeHtml("abc\b"));

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to