ASF Bugzilla – Attachment 31401 Details for
Bug 56265
Unexpected escaping in the values of dynamic tag attributes containing EL expressions
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch v3
2014-03-18-bug56265-tc8-v3.patch (text/plain), 9.59 KB, created by
Mark Thomas
on 2014-03-18 15:03:17 UTC
(
hide
)
Description:
Proposed patch v3
Filename:
MIME Type:
Creator:
Mark Thomas
Created:
2014-03-18 15:03:17 UTC
Size:
9.59 KB
patch
obsolete
>Index: java/org/apache/jasper/compiler/Generator.java >=================================================================== >--- java/org/apache/jasper/compiler/Generator.java (revision 1578812) >+++ java/org/apache/jasper/compiler/Generator.java (working copy) >@@ -1839,7 +1839,7 @@ > out.print(" + \"\\\""); > } else { > out.print(DOUBLE_QUOTE); >- out.print(attrs.getValue(i).replace("\"", """)); >+ out.print(jspAttrs[i].getValue().replace("\"", """)); > out.print(DOUBLE_QUOTE); > } > } >Index: java/org/apache/jasper/compiler/Validator.java >=================================================================== >--- java/org/apache/jasper/compiler/Validator.java (revision 1578812) >+++ java/org/apache/jasper/compiler/Validator.java (working copy) >@@ -1402,7 +1402,7 @@ > > } else { > result = new Node.JspAttribute(tai, qName, uri, >- localName, value, false, null, dynamic); >+ localName, xmlEscape(value), false, null, dynamic); > } > } > } else { >Index: test/org/apache/jasper/compiler/TestParser.java >=================================================================== >--- test/org/apache/jasper/compiler/TestParser.java (revision 1578812) >+++ test/org/apache/jasper/compiler/TestParser.java (working copy) >@@ -14,7 +14,6 @@ > * See the License for the specific language governing permissions and > * limitations under the License. > */ >- > package org.apache.jasper.compiler; > > import java.io.File; >@@ -27,8 +26,11 @@ > import org.junit.Assert; > import org.junit.Test; > >+import org.apache.catalina.WebResourceRoot; >+import org.apache.catalina.core.StandardContext; > import org.apache.catalina.startup.Tomcat; > import org.apache.catalina.startup.TomcatBaseTest; >+import org.apache.catalina.webresources.StandardRoot; > import org.apache.tomcat.util.buf.ByteChunk; > > /** >@@ -328,18 +330,58 @@ > > String result = res.toString(); > >- Assert.assertTrue(result.contains(""1foo1"") || >- result.contains(""1foo1"")); >- Assert.assertTrue(result.contains(""2bar2"") || >- result.contains(""2bar2"")); >- Assert.assertTrue(result.contains(""3a&b3"") || >- result.contains(""3a&b3"")); >- Assert.assertTrue(result.contains(""4&4"") || >- result.contains(""4&4"")); >- Assert.assertTrue(result.contains(""5'5"") || >- result.contains(""5'5"")); >+ Assert.assertTrue(result, >+ result.contains(""1foo1<&>"") >+ || result.contains(""1foo1<&>"")); >+ Assert.assertTrue(result, >+ result.contains(""2bar2<&>"") >+ || result.contains(""2bar2<&>"")); >+ Assert.assertTrue(result, >+ result.contains(""3a&b3"") >+ || result.contains(""3a&b3"")); >+ Assert.assertTrue(result, >+ result.contains(""4&4"") >+ || result.contains(""4&4"")); >+ Assert.assertTrue(result, >+ result.contains(""5'5"") >+ || result.contains(""5'5"")); > } > >+ @Test >+ public void testBug56265() throws Exception { >+ Tomcat tomcat = getTomcatInstance(); >+ >+ File appDir = new File("test/webapp"); >+ // app dir is relative to server home >+ StandardContext ctxt = (StandardContext) tomcat.addWebapp(null, >+ "/test", appDir.getAbsolutePath()); >+ >+ // This test needs the JSTL libraries >+ File lib = new File("webapps/examples/WEB-INF/lib"); >+ ctxt.setResources(new StandardRoot(ctxt)); >+ ctxt.getResources().createWebResourceSet( >+ WebResourceRoot.ResourceSetType.POST, "/WEB-INF/lib", >+ lib.getAbsolutePath(), null, "/"); >+ >+ tomcat.start(); >+ >+ ByteChunk res = getUrl("http://localhost:" + getPort() + >+ "/test/bug5nnnn/bug56265.jsp"); >+ >+ String result = res.toString(); >+ >+ Assert.assertTrue(result, >+ result.contains("[1: [data-test]: [window.alert('Hello World <&>!')]]") || >+ result.contains("[1: [data-test]: [window.alert('Hello World <&>!')]]")); >+ Assert.assertTrue(result, >+ result.contains("[2: [data-test]: [window.alert('Hello World <&>!')]]")); >+ Assert.assertTrue(result, >+ result.contains("[3: [data-test]: [window.alert('Hello 'World <&>'!')]]") || >+ result.contains("[3: [data-test]: [window.alert('Hello 'World <&>'!')]]")); >+ Assert.assertTrue(result, >+ result.contains("[4: [data-test]: [window.alert('Hello 'World <&>'!')]]")); >+ } >+ > /** Assertion for text printed by tags:echo */ > private static void assertEcho(String result, String expected) { > assertTrue(result.indexOf("<p>" + expected + "</p>") > 0); >Index: test/webapp/WEB-INF/tags/bug55198.tagx >=================================================================== >--- test/webapp/WEB-INF/tags/bug55198.tagx (revision 1578812) >+++ test/webapp/WEB-INF/tags/bug55198.tagx (working copy) >@@ -17,8 +17,8 @@ > --> > <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.0"> > <jsp:directive.tag body-content="scriptless" /> >-<a href="#" onclick="window.alert("1${'foo'}1")">foo</a> >-<a href="#" onclick="window.alert("2bar2")">bar</a> >+<a href="#" onclick="window.alert("1${'foo'}1<&>")">foo</a> >+<a href="#" onclick="window.alert("2bar2<&>")">bar</a> > <a href="#" onclick="window.alert("3${text}3")">foo</a> > <a href="#" onclick="window.alert("4${'&'}4")">foo</a> > <a href="#" onclick="window.alert("5${'&apos;'}5")">foo</a> >Index: test/webapp/WEB-INF/tags/bug56265.tagx >=================================================================== >--- test/webapp/WEB-INF/tags/bug56265.tagx (revision 0) >+++ test/webapp/WEB-INF/tags/bug56265.tagx (working copy) >@@ -0,0 +1,24 @@ >+<?xml version="1.0" encoding="UTF-8" ?> >+<!-- >+ Licensed to the Apache Software Foundation (ASF) under one or more >+ contributor license agreements. See the NOTICE file distributed with >+ this work for additional information regarding copyright ownership. >+ The ASF licenses this file to You under the Apache License, Version 2.0 >+ (the "License"); you may not use this file except in compliance with >+ the License. You may obtain a copy of the License at >+ >+ http://www.apache.org/licenses/LICENSE-2.0 >+ >+ Unless required by applicable law or agreed to in writing, software >+ distributed under the License is distributed on an "AS IS" BASIS, >+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. >+ See the License for the specific language governing permissions and >+ limitations under the License. >+--> >+<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.0" >+ xmlns:c="http://java.sun.com/jsp/jstl/core"> >+ <jsp:directive.tag body-content="empty" dynamic-attributes="attMap" /> >+ <c:forEach var="e" items="${attMap}"> >+ <jsp:text>[${e.key}]: [${e.value}]</jsp:text> >+ </c:forEach> >+</jsp:root> >\ No newline at end of file >Index: test/webapp/bug5nnnn/bug56265.jsp >=================================================================== >--- test/webapp/bug5nnnn/bug56265.jsp (revision 0) >+++ test/webapp/bug5nnnn/bug56265.jsp (working copy) >@@ -0,0 +1,30 @@ >+<%-- >+ Licensed to the Apache Software Foundation (ASF) under one or more >+ contributor license agreements. See the NOTICE file distributed with >+ this work for additional information regarding copyright ownership. >+ The ASF licenses this file to You under the Apache License, Version 2.0 >+ (the "License"); you may not use this file except in compliance with >+ the License. You may obtain a copy of the License at >+ >+ http://www.apache.org/licenses/LICENSE-2.0 >+ >+ Unless required by applicable law or agreed to in writing, software >+ distributed under the License is distributed on an "AS IS" BASIS, >+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. >+ See the License for the specific language governing permissions and >+ limitations under the License. >+--%> >+<%@ taglib prefix="tags" tagdir="/WEB-INF/tags" %> >+<% >+request.setAttribute("text", "World <&>"); >+request.setAttribute("textQuote", "'World <&>'"); >+%> >+<html> >+ <head><title>Bug 56265 test case</title></head> >+ <body> >+ <p>[1: <tags:bug56265 data-test="window.alert('Hello World <&>!')"/>]</p> >+ <p>[2: <tags:bug56265 data-test="window.alert('Hello ${text}!')"/>]</p> >+ <p>[3: <tags:bug56265 data-test="window.alert('Hello 'World <&>'!')"/>]</p> >+ <p>[4: <tags:bug56265 data-test="window.alert('Hello ${textQuote}!')"/>]</p> >+ </body> >+</html> >\ No newline at end of file >Index: test/webapp/bug5nnnn/bug56265.jsp >=================================================================== >--- test/webapp/bug5nnnn/bug56265.jsp (revision 0) >+++ test/webapp/bug5nnnn/bug56265.jsp (working copy) > >Property changes on: test/webapp/bug5nnnn/bug56265.jsp >___________________________________________________________________ >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=31401">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 56265
:
31388
|
31390
|
31400
|
31401
|
31402