[Wicket-develop] Thoughts on default html escaping in Wicket core

Thu, 24 Nov 2005 10:22:00 -0800

Hello,
 
When diving into the core of Wicket in order to help solve an issue with form components, I was surprised by 2 things :
 
- The Component.getModelObjectAsString() returns an html escaped version of the model value. I'm not sure that this is a desired behaviour in some circumstances. For example, if a Component creator wants to override the onRenderTag() method of component (not sure of the name, but you see the point), and wants to write some _javascript_ in an attribute, and the _javascript_ is composed of static text & getValue() / getModelValue() method call, then the _javascript_ will embed an already html escaped version of the model ... not that good ?
 
- The ComponentTag.writeOutput..(..) method writes at the end of the method the content of attributes in a loop. For each attribute, it does not html escape the value of the attribute. This is consistent with the behaviour of getModelObjectAsString() as seen above, but is not very secure.
Indeed, the responsibility of giving a well formed (understand html escaped) string as the value of an attribute has be moved to the component developer ...
 
There is also something weird in the ComponentTag.writeOutput...(...) method with attribute value handling : double quotes are replaced with backslashed double quotes ( " are replaced by \").
It sounds to me like a result of some hack when at some point in the past a bug when embedding _javascript_ in the tag values was discovered.
 
But I don't think it's the right way to do things.
 
The two above points are closely related, but don't solve the problems once and forever.
 
Here is what i would suggest :
 
remove the html escaping from the Component.getModelObjectAsString() method.
 
Add the html escaping to the ComponentTag.writeOutput() method, in the attributes loop.
Remove the weird replacement of double quotes by backslashed double quotes in the attributes loop.
 
I can't test it by myself now, but I'm pretty sure this would be good, for all the points I've mentioned above: more centralized, more secure, and more powerfull (because getModelAsString() will return a usable value to be included in _javascript_ literal strings ...)
 
HTH,
 
--
Laurent
 

Reply via email to