Hi, Stripes does a couple of replacements to ensure the correct HTML-rendering and avoid some basic XSS-attacks: It replaces some special characters with their corresponing HTML-entities. The code doing this is in:
net.sourceforge.stripes.util.HtmlUtil#encode(String fragment) which is called by the Stripes' tags. The problem is that replacing the & (ampersand) character (in the way it is done right now) destroys (already correct) HTML-entites. For example, if your input string contains "€" (the HTML-entity for the Euro sign) the resulting code is "€" which is displayed as "€". I think that this problem occurs more often in European web apps because of our Euro sign and our special chars like German umlauts of the French accents (ä => ä é => é etc.) *LOL* I see two solutions for this problem: 1. Implement a more advanced (e.g. regex based) replacement that "knows" about HTML-entites &(?![A-Za-z]+;) => & instead of the simple & => & 2. Don't replace the & at all. AFAIK the only problem is a simple &-sign is not XML/XHTML comliant for tag-body content (it's valid for attributes). What do you think? Sebastian -- Sebastian Beigel // Software Architekt (F) Die Firma GmbH // Innovative Kommunikation Schwalbacher Straße 74 // D-65183 Wiesbaden T +49.6 11.2 38 50.24 // F +49.6 11.2 38 50.11 mailto:[EMAIL PROTECTED] // http://www.diefirma.de Amtsgericht Wiesbaden // HRB 1091 GF // M. Fischer, J. Fritz, C. Kepper, C. Kremers, M. Wenig Kurze Pause gefällig? www.neckermann.de/krimi ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Stripes-development mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/stripes-development
