Re: [Resin-interest] jsp:param behavior change from 3.0.22 to 4.0.5
Aaron Freeman wrote: > Ok, thanks, we will hold off on pushing forward on upgrading until we > get some idea as to whether this is an issue or not. > I checked with the spec and the reference implementation: you're not supposed to escape content inside a jsp:param. The container is responsible for any encoding. However, Resin does have a bug in its own encoding for 4.0.5 (fixed for 4.0.6.) So you'll need to wait until at least 4.0.6 for the fix. (4.0.6 is expected next week. It's a short ipv6 release.) -- Scott > Aaron > > > On 3/31/2010 2:53 PM, Scott Ferguson wrote: > >> Aaron Freeman wrote: >> >> >>> We are experiencing a fundamental change in how data is being passed as >>> a jsp:param between 3.0.22 and 4.0.5. We need to know if this change is >>> intentional as it has a work-heavy impact on converting our code base >>> over which currently relies on the behavior of 3.0.x. >>> >>> It appears that a call to jsp:include was automatically URL decoding any >>> strings that were passed in, and that that behavior has changed. >>> >>> I have included source to two files that will demonstrate the behavior >>> change (in case it's not intentional). And here are the results of >>> running it: >>> >>> >>> >> I've added a bug report for this at http://bugs.caucho.com/view.php?id=3976. >> >> I'll need to check, but there's a good chance this change was made to >> conform to either the JSP or JSTL spec/TCK. >> >> -- Scott >> >> >>> on resin-pro-3.0.22 >>> >>> URL encoded before pass to jsp:include: >>> Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26. >>> >>> Test: 1< 2 and width="100ïand ampersand= >>> Here it is as seen inside of test-process.jsp: >>> Test: 1< 2 and width="100%" and ampersand=&. >>> >>> >>> on resin-pro-4.0.5 >>> >>> URL encoded before pass to jsp:include: >>> Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26. >>> >>> Test: 1< 2 and width="100ïand ampersand= >>> Here it is as seen inside of test-process.jsp: >>> Test:+1+<+2+and+width="100%"+and+ampersand=&. >>> >>> >>> >>> <%- BEGIN test.jsp -%> >>> <%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %> >>> <%@ taglib uri="http://www.sendthisfile.com/taglib/httputil"; >>> prefix="httputil" %> >>> >>> >>> textarea param exists: >>> ${param.textarea} >>> >>> >> value="${httputil:urlEncode(param.textarea)}"/> >>> URL encoded before pass to jsp:include: >>> ${textareaUrlEncodedBefore} >>> >>> >>> <%-- Set some requestscope variable in test.jsp --%> >>> >>> >>> >>> >>> >>> >>> >>> ${requestScope.processedTextarea} >>> >>> >>> >>> >>> >>> >>> Here it is as seen inside of test-process.jsp: >>> ${requestScope.urlEncoded} >>> >>> <%- END test.jsp -%> >>> >>> >>> <%- BEGIN test-process.jsp -%> >>> <%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %> >>> >>> >>> >>> >>> Test: 1< 2 and >>> width="100%" and ampersand=&. >>> >>> >>> >>> ${param.textarea} >>> >>> >>> >>> >>> ${param.textareaUrlEncoded} >>> <%- END test-process.jsp -%> >>> >>> >>> Thanks for your thoughts on this, >>> >>> Aaron >>> >>> > > > > ___ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest > > ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] jsp:param behavior change from 3.0.22 to 4.0.5
Ok, thanks, we will hold off on pushing forward on upgrading until we get some idea as to whether this is an issue or not. Aaron On 3/31/2010 2:53 PM, Scott Ferguson wrote: > Aaron Freeman wrote: > >> We are experiencing a fundamental change in how data is being passed as >> a jsp:param between 3.0.22 and 4.0.5. We need to know if this change is >> intentional as it has a work-heavy impact on converting our code base >> over which currently relies on the behavior of 3.0.x. >> >> It appears that a call to jsp:include was automatically URL decoding any >> strings that were passed in, and that that behavior has changed. >> >> I have included source to two files that will demonstrate the behavior >> change (in case it's not intentional). And here are the results of >> running it: >> >> > I've added a bug report for this at http://bugs.caucho.com/view.php?id=3976. > > I'll need to check, but there's a good chance this change was made to > conform to either the JSP or JSTL spec/TCK. > > -- Scott > >> on resin-pro-3.0.22 >> >> URL encoded before pass to jsp:include: >> Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26. >> >> Test: 1< 2 and width="100ïand ampersand= >> Here it is as seen inside of test-process.jsp: >> Test: 1< 2 and width="100%" and ampersand=&. >> >> >> on resin-pro-4.0.5 >> >> URL encoded before pass to jsp:include: >> Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26. >> >> Test: 1< 2 and width="100ïand ampersand= >> Here it is as seen inside of test-process.jsp: >> Test:+1+<+2+and+width="100%"+and+ampersand=&. >> >> >> >> <%- BEGIN test.jsp -%> >> <%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %> >> <%@ taglib uri="http://www.sendthisfile.com/taglib/httputil"; >> prefix="httputil" %> >> >> >> textarea param exists: >> ${param.textarea} >> >> > value="${httputil:urlEncode(param.textarea)}"/> >> URL encoded before pass to jsp:include: >> ${textareaUrlEncodedBefore} >> >> >> <%-- Set some requestscope variable in test.jsp --%> >> >> >> >> >> >> >> >> ${requestScope.processedTextarea} >> >> >> >> >> >> >> Here it is as seen inside of test-process.jsp: >> ${requestScope.urlEncoded} >> >> <%- END test.jsp -%> >> >> >> <%- BEGIN test-process.jsp -%> >> <%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %> >> >> >> >> >> Test: 1< 2 and >> width="100%" and ampersand=&. >> >> >> >> ${param.textarea} >> >> >> >> >> ${param.textareaUrlEncoded} >> <%- END test-process.jsp -%> >> >> >> Thanks for your thoughts on this, >> >> Aaron >> ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] jsp:param behavior change from 3.0.22 to 4.0.5
Aaron Freeman wrote: > We are experiencing a fundamental change in how data is being passed as > a jsp:param between 3.0.22 and 4.0.5. We need to know if this change is > intentional as it has a work-heavy impact on converting our code base > over which currently relies on the behavior of 3.0.x. > > It appears that a call to jsp:include was automatically URL decoding any > strings that were passed in, and that that behavior has changed. > > I have included source to two files that will demonstrate the behavior > change (in case it's not intentional). And here are the results of > running it: > I've added a bug report for this at http://bugs.caucho.com/view.php?id=3976. I'll need to check, but there's a good chance this change was made to conform to either the JSP or JSTL spec/TCK. -- Scott > on resin-pro-3.0.22 > > URL encoded before pass to jsp:include: > Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26. > > Test: 1 < 2 and width="100ïand ampersand= > Here it is as seen inside of test-process.jsp: > Test: 1 < 2 and width="100%" and ampersand=&. > > > on resin-pro-4.0.5 > > URL encoded before pass to jsp:include: > Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26. > > Test: 1 < 2 and width="100ïand ampersand= > Here it is as seen inside of test-process.jsp: > Test:+1+<+2+and+width="100%"+and+ampersand=&. > > > > <%- BEGIN test.jsp -%> > <%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %> > <%@ taglib uri="http://www.sendthisfile.com/taglib/httputil"; > prefix="httputil" %> > > > textarea param exists: > ${param.textarea} > > value="${httputil:urlEncode(param.textarea)}"/> > URL encoded before pass to jsp:include: > ${textareaUrlEncodedBefore} > > > <%-- Set some requestscope variable in test.jsp --%> > > > > > > > > ${requestScope.processedTextarea} > > > > > > > Here it is as seen inside of test-process.jsp: > ${requestScope.urlEncoded} > > <%- END test.jsp -%> > > > <%- BEGIN test-process.jsp -%> > <%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %> > > > > > Test: 1 < 2 and > width="100%" and ampersand=&. > > > > ${param.textarea} > > > > > ${param.textareaUrlEncoded} > <%- END test-process.jsp -%> > > > Thanks for your thoughts on this, > > Aaron > > > ___ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest > > ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] jsp:param behavior change from 3.0.22 to 4.0.5
Oh, you will have to swap out the httputil with whatever you use to URLEncode strings in order to test it. Thanks, Aaron On 3/31/2010 2:46 PM, Aaron Freeman wrote: We are experiencing a fundamental change in how data is being passed as a jsp:param between 3.0.22 and 4.0.5. We need to know if this change is intentional as it has a work-heavy impact on converting our code base over which currently relies on the behavior of 3.0.x. It appears that a call to jsp:include was automatically URL decoding any strings that were passed in, and that that behavior has changed. I have included source to two files that will demonstrate the behavior change (in case it's not intentional). And here are the results of running it: on resin-pro-3.0.22 URL encoded before pass to jsp:include: Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26. Test: 1< 2 and width="100ïand ampersand= Here it is as seen inside of test-process.jsp: Test: 1< 2 and width="100%" and ampersand=&. on resin-pro-4.0.5 URL encoded before pass to jsp:include: Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26. Test: 1< 2 and width="100ïand ampersand= Here it is as seen inside of test-process.jsp: Test:+1+<+2+and+width="100%"+and+ampersand=&. <%- BEGIN test.jsp -%> <%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %> <%@ taglib uri="http://www.sendthisfile.com/taglib/httputil"; prefix="httputil" %> textarea param exists: ${param.textarea} URL encoded before pass to jsp:include: ${textareaUrlEncodedBefore} <%-- Set some requestscope variable in test.jsp --%> ${requestScope.processedTextarea} Here it is as seen inside of test-process.jsp: ${requestScope.urlEncoded} <%- END test.jsp -%> <%- BEGIN test-process.jsp -%> <%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %> Test: 1< 2 and width="100%" and ampersand=&. ${param.textarea} ${param.textareaUrlEncoded} <%- END test-process.jsp -%> Thanks for your thoughts on this, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.791 / Virus Database: 271.1.1/2781 - Release Date: 03/31/10 01:32:00 ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest