--- runtime/PageContextImpl.java (revision 1384312) +++ runtime/PageContextImpl.java (working copy) @@ -913,28 +913,69 @@ } } - private static String XmlEscape(String s) { - if (s == null) + protected static String XmlEscape(String s) { + if (s == null) { return null; - StringBuilder sb = new StringBuilder(); - for (int i = 0; i < s.length(); i++) { + } + int len = s.length(); + + /* + * Look for any "bad" characters, Escape "bad" character was found + */ + // ASCII " 34 & 38 ' 39 < 60 > 62 + for (int i = 0; i < len; i++) { char c = s.charAt(i); + if (c >= '\"' + && c <= '>' + && (c == '<' || c == '>' || c == '\'' || c == '&' || c == '"')) { + // need to escape them and then quote the whole string + StringBuilder sb = new StringBuilder((int) (len * 1.2)); + sb.append(s, 0, i); + int pos = i + 1; + for (int j = i; j < len; j++) { + c = s.charAt(j); + if (c >= '\"' && c <= '>') { if (c == '<') { + if (j > pos) { + sb.append(s, pos, j); + } sb.append("<"); + pos = j + 1; } else if (c == '>') { + if (j > pos) { + sb.append(s, pos, j); + } sb.append(">"); + pos = j + 1; } else if (c == '\'') { + if (j > pos) { + sb.append(s, pos, j); + } sb.append("'"); // ' + pos = j + 1; } else if (c == '&') { + if (j > pos) { + sb.append(s, pos, j); + } sb.append("&"); + pos = j + 1; } else if (c == '"') { + if (j > pos) { + sb.append(s, pos, j); + } sb.append("""); // " - } else { - sb.append(c); + pos = j + 1; } } + } + if (pos < len) { + sb.append(s, pos, len); + } return sb.toString(); } + } + return s; + } /** * Proprietary method to evaluate EL expressions. XXX - This method should