[ https://issues.apache.org/jira/browse/LANG-363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary Gregory updated LANG-363: ------------------------------ Summary: StringEscapeUtils.escapeJavaScript() method did not escape '/' into '\/', it will make IE render page uncorrectly (was: StringEscapeUtils..escapeJavaScript() method did not escape '/' into '\/', it will make IE render page uncorrectly) fix typo in summary field > StringEscapeUtils.escapeJavaScript() method did not escape '/' into '\/', it > will make IE render page uncorrectly > ----------------------------------------------------------------------------------------------------------------- > > Key: LANG-363 > URL: https://issues.apache.org/jira/browse/LANG-363 > Project: Commons Lang > Issue Type: Bug > Affects Versions: 2.3 > Environment: JDK1.5 + commons-lang-2.3.jar + IE 6.0 > Reporter: Situ Chenghao > Priority: Minor > Fix For: 2.4 > > Attachments: patch.txt > > > If Javascripts including'/', IE will parse the scripts uncorrectly, actually > '/' should be escaped to '\/'. > For example, document.getElementById("test").value = > '<script>alert(\'aaa\');</script>';this expression will make IE render page > uncorrect, it should be document.getElementById("test").value = > '<script>alert(\'aaa\');<\/script>'; > Btw, Spring's JavascriptEscape behavor is correct. > Try to run below codes, you will find the difference: > String s = "<script>alert('aaa');</script>"; > String str = > org.springframework.web.util.JavaScriptUtils.javaScriptEscape(s); > System.out.println("Spring JS Escape : "+str); > str = org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(s); > System.out.println("Apache Common Lang JS Escape : "+ str); -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.