Aaron Freeman wrote:
> Ok, thanks, we will hold off on pushing forward on upgrading until we 
> get some idea as to whether this is an issue or not.
>   
I checked with the spec and the reference implementation: you're not 
supposed to escape content inside a jsp:param. The container is 
responsible for any encoding.

However, Resin does have a bug in its own encoding for 4.0.5 (fixed for 
4.0.6.) So you'll need to wait until at least 4.0.6 for the fix.

(4.0.6 is expected next week. It's a short ipv6 release.)

-- Scott
> Aaron
>
>
> On 3/31/2010 2:53 PM, Scott Ferguson wrote:
>   
>> Aaron Freeman wrote:
>>    
>>     
>>> We are experiencing a fundamental change in how data is being passed as
>>> a jsp:param between 3.0.22 and 4.0.5.  We need to know if this change is
>>> intentional as it has a work-heavy impact on converting our code base
>>> over which currently relies on the behavior of 3.0.x.
>>>
>>> It appears that a call to jsp:include was automatically URL decoding any
>>> strings that were passed in, and that that behavior has changed.
>>>
>>> I have included source to two files that will demonstrate the behavior
>>> change (in case it's not intentional).  And here are the results of
>>> running it:
>>>
>>>      
>>>       
>> I've added a bug report for this at http://bugs.caucho.com/view.php?id=3976.
>>
>> I'll need to check, but there's a good chance this change was made to
>> conform to either the JSP or JSTL spec/TCK.
>>
>> -- Scott
>>    
>>     
>>> ---- on resin-pro-3.0.22 ----
>>>
>>> URL encoded before pass to jsp:include:
>>> Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26.
>>>
>>> Test: 1<  2 and width="100ïand ampersand=
>>> Here it is as seen inside of test-process.jsp:
>>> Test: 1<  2 and width="100%" and ampersand=&.
>>>
>>>
>>> ---- on resin-pro-4.0.5 ----
>>>
>>> URL encoded before pass to jsp:include:
>>> Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26.
>>>
>>> Test: 1<  2 and width="100ïand ampersand=
>>> Here it is as seen inside of test-process.jsp:
>>> Test:+1+<+2+and+width="100%"+and+ampersand=&.
>>>
>>>
>>>
>>> <%----- BEGIN test.jsp -----%>
>>> <%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %>
>>> <%@ taglib uri="http://www.sendthisfile.com/taglib/httputil";
>>> prefix="httputil" %>
>>>
>>> <c:if test="${!empty param.textarea}">
>>>       textarea param exists:<br/>
>>>       ${param.textarea}<br/><br/>
>>>
>>> <c:set var="textareaUrlEncodedBefore"
>>> value="${httputil:urlEncode(param.textarea)}"/>
>>>       URL encoded before pass to jsp:include:<br/>
>>>       ${textareaUrlEncodedBefore}<br/><br/>
>>> </c:if>
>>>
>>> <%-- Set some requestscope variable in test.jsp --%>
>>> <jsp:include page="/test-process.jsp">
>>> <jsp:param name="textarea" value="${param.textarea}"/>
>>> <jsp:param name="textareaUrlEncoded" value="${textareaUrlEncodedBefore}"/>
>>> </jsp:include>
>>>
>>> <form action="/test.jsp">
>>>
>>> <textarea name="textarea">${requestScope.processedTextarea}</textarea>
>>>
>>> <input type="submit"></input>
>>>
>>> </form>
>>>
>>> <c:if test="${!empty requestScope.urlEncoded}">
>>>       Here it is as seen inside of test-process.jsp:<br/>
>>>       ${requestScope.urlEncoded}
>>> </c:if>
>>> <%----- END test.jsp -----%>
>>>
>>>
>>> <%----- BEGIN test-process.jsp -----%>
>>> <%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %>
>>>
>>> <c:choose>
>>>
>>> <c:when test="${empty param.textarea}">
>>> <c:set var="processedTextarea" scope="request">Test: 1<  2 and
>>> width="100%" and ampersand=&.</c:set>
>>> </c:when>
>>>
>>> <c:otherwise>
>>> <c:set var="processedTextarea" scope="request">${param.textarea}</c:set>
>>> </c:otherwise>
>>>
>>> </c:choose>
>>>
>>> <c:set var="urlEncoded" scope="request">${param.textareaUrlEncoded}</c:set>
>>> <%----- END test-process.jsp -----%>
>>>
>>>
>>> Thanks for your thoughts on this,
>>>
>>> Aaron
>>>      
>>>       
>
>
>
> _______________________________________________
> resin-interest mailing list
> resin-interest@caucho.com
> http://maillist.caucho.com/mailman/listinfo/resin-interest
>
>   



_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Reply via email to