What's the standard way of quoting text for inclusion in a web page in
Java? Ie. I need a method to convert the string
Jeb said, "Hell & damnation! Is 5 > 4?"
to
Jeb said, "Hell & damnation! Is 5 > 4?"
(I think: I've never been entirely sure what the right way to handle
quotes is.) That is, I want the standard Java equivalent of Python's
cgi.escape(), or Perl's CGI::escapeHTML().
To my utter amazement, I cannot find any indication that such a method
even exists in the standard Java library! (I tried Google'ing and
poking through the JDK 1.4 docs.)
So I went looking in the source for Tomcat 4.1.27 -- surely the HTML
version of the manager app must quote at least the webapp's display
name, since it comes from a user-supplied file and therefore might
contain funny characters. Surprisingly, the manager just lets funny
characters through without touching them. Eg. if you put
<display-name>foo & bar webapp</display-name>
then "&" is translated back to "&" by some part of the XML-parsing
chain, and is emitted as "&" in the manager HTML page. Most browsers
can deal with minor violations like this, but it's still technically
incorrect. Just for fun I tried this:
<display-name>my <script>alert("foo");</script></display-name>
...and it works! The manager emits this HTML:
<td class="row-left"><small>my <script>alert("foo");</script> webapp</small></td>
and my browser pops up a JavaScript window while rendering the manager
page. Cool! I doubt this is a security hole -- not many people can
edit web.xml! -- but surely it at least counts as a rendering bug. ;-)
So: can someone tell me what the standard way of quoting text for
inclusion in a web page generated by a Java web application is?
Thanks!
Greg
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
