StringEscapeUtils.escapeHTML() does not escape chars (0x00-0x20)
----------------------------------------------------------------
Key: LANG-439
URL: https://issues.apache.org/jira/browse/LANG-439
Project: Commons Lang
Issue Type: Bug
Affects Versions: 2.4
Environment: java5
Reporter: Pavel Sivolobtchik
Fix For: 2.4
I encountered this problem when I sent html from the server to a client using
AjaxRequest. HTML was escaped wrapped in CDATA. I thought it was pretty safe.
See my xml fragment below:
//------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<ajax-fragment>
<html-rows>
<![CDATA[
<div style="padding-left: 1px;" class="columnContent4 column4">
<span column-id="Message" class="cellContent"
onmouseover="w12450823.onDwell(event);
w12450823.onCellSelectionOnMouseOver(event);"
onclick="w12450823.onCellSelectionOnClick(event)" >May 29 10:48:29 rdia643 su:
- 2 nitroqa-nss</span></div>
]]>
</html-rows>
</ajax-fragment>
//------------------------------------------------------------------------------------------
However in FF2 there was js error:
//--------------------------------------------------------------------------------------------
Error: not well-formed
Source Code:
<span column-id="Message" class="cellContent "
onmouseover="w12450823.onDwell(event);
w12450823.onCellSelectionOnMouseOver(event); "
onclick="w12450823.onCellSelectionOnClick(event)" >May 29 10:48:29 rdia643 su:
- 2 nitroqa-nss</span></div
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------^
I figured out that StringEscapeUtils.escapeHTML() did not escape one of the
characters. it was a '\b'(ascii 8).
I had to change to org.apache.commons.lang.Entities.excape() method:
public void escape(Writer writer, String str) throws IOException {
int len = str.length();
for (int i = 0; i < len; i++) {
char c = str.charAt(i);
String entityName = this.entityName(c);
if (entityName == null) {
if (c < 0x20 || c > 0x7F) {
writer.write("&#");
writer.write(Integer.toString(c, 10));
writer.write(';');
}
else {
writer.write(c);
}
}
else {
writer.write('&');
writer.write(entityName);
writer.write(';');
}
}
}
//---------------------------------------------------------------------------------------
It can be tested with unittest:
assertEquals("abc", StringEscapeUtils.escapeHtml("abc\b"));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.