Well, after fix for Bug 55198, if a tag file contains <a href="#" onclick="window.alert("${text}")">foobar</a> It can now be correctly rendered as (if text='foobar') <a href="#" onclick="window.alert("foobar")">foobar</a> But, It is rendered completely wrongly as ***** IF text='&foobar' ***** <a href="#" onclick="window.alert("&amp;foobar")">foobar</a> The EL expression ${text} should be rendered without any escape, but now it is escaped just as other literal part in the attribute. Generally, a tagx file's compiler must not make any assumption that it's output is a well-formed XML or not, it should just keep the literal atrribute or text as is, and output any EL expression directly. It's the tagx file's author's reponsibility to determine whether a text variable should be escaped, e.g.: <a href="#" onclick="window.alert("${fn:escape(text)}")">foobar</a> Suppose we have: request.setAttribute("text", "2 > 1"); And in a tagx file: <div title=""${text}"">"${text}"</div> The correct output could be: <div title=""2 > 1"">"2 > 1"</div> But neither <div title=""2 &gt; 1"">"2 > 1"</div> nor <div title=""2 > 1"">"2 > 1"</div>
Um... it seems JSP spec doesn't clarify the behavior at all... But XSLT does. If we "borrow" rules from XSLT, then some correct examples could be (text="2 > 1"): tagx/jspx: <div title=""${text}"">ABCD</div> output: <div title=""2 &gt; 1"">ABCD</div> tagx/jspx: <div>"<c:out value="&nbsp;${text}"" escapeXml="false"></div> output: <div>" 2 > 1"</div> But XSLT doesn't allow expressions in template text, thus, what can be the correct result generated by the following example? tagx/jspx: <div>"${text}"</div> Should it be output: <div>"2 &gt; 1"</div> or output: <div>"2 > 1"</div> or output: <div>"2 > 1"</div> or output: <div>"2 &gt; 1"</div> ????????
Conclusion: 1. If you use jspx or tagx, then never use any EL expressions within attribute values, and always use JSTL <out> tag to output expression values within template content -- unless you know the expression value must not contain any XML reserved characters; 2. Do not use jspx or tagx at all, use jsp and tag files instead -- whose behaviors are relatively determined.
Thanks for the report. This was a regression in the fix for bug55198. This has been fixed in trunk for 8.0.0-RC6 onwards. This has been fixed in 7.0.x for 7.0.48 onwards.
I've updated the back-port proposal for 55198 to include the fix for this regression so there is no need to keep this bug open.