| Summary: | JSTL formatNumber tag not escaping characters | ||
|---|---|---|---|
| Product: | Taglibs | Reporter: | Mason Blackwood <mason.blackwood> |
| Component: | Standard Taglib | Assignee: | Tomcat Developers Mailing List <dev> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | ||
| Priority: | P3 | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | All | ||
The behavior of formatNumber is according to spec. The tag has not been designed to perform any sort of escaping on the output value. |
The formatNumber tags for both rt and el are not escaping characters before embedding into the response. Our web app is currently using JSTL 1.0.1, but I've downloaded the latest nightly build and the problem still exists. For example, request locale is en_GB, and I use this in my JSP... <format:formatNumber value="${oneOffCharge}" type="currency" /> ... and assuming oneOffCharge is set to 12.34, the response generated (viewing the HTML source) will be... £12.34 The £ is an HTML escape character, and should be formatted as £ before being embedded in the response, so the resulting HTML should read... £12.34 Having a quick look at the code, both tags extend org.apache.taglibs.standard.tag.common.fmt.FormatNumberSupport, in this class, in the doEndTag() method, I added... formatted = HtmlEncoder.encode(formatted); [org.apache.taglibs.standard.lang.jpath.encoding.HtmlEncoder supplied with the standard.jar] ... just before... if (var != null) { pageContext.setAttribute(var, formatted, scope); } else { try { pageContext.getOut().print(formatted); } catch (IOException ioe) { throw new JspTagException(ioe.getMessage()); } } ... and this solved the problem. Hopefully it will point you in the right direction. Kind Rgds Mason Blackwood