Bug 16758

Summary: JSTL formatNumber tag not escaping characters
Product: Taglibs Reporter: Mason Blackwood <mason.blackwood>
Component: Standard TaglibAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P3    
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Mason Blackwood 2003-02-04 14:31:44 UTC
The formatNumber tags for both rt and el are not escaping characters before 
embedding into the response. Our web app is currently using JSTL 1.0.1, but 
I've downloaded the latest nightly build and the problem still exists. 

For example, request locale is en_GB, and I use this in my JSP...

<format:formatNumber value="${oneOffCharge}" type="currency" />

... and assuming oneOffCharge is set to 12.34, the response generated (viewing 
the HTML source) will be...


The £ is an HTML escape character, and should be formatted as &#163; before 
being embedded in the response, so the resulting HTML should read...


Having a quick look at the code, both tags extend 
org.apache.taglibs.standard.tag.common.fmt.FormatNumberSupport, in this class, 
in the doEndTag() method, I added...

formatted = HtmlEncoder.encode(formatted);

[org.apache.taglibs.standard.lang.jpath.encoding.HtmlEncoder supplied with the 

... just before...

        if (var != null) {
            pageContext.setAttribute(var, formatted, scope);
        } else {
            try {
            } catch (IOException ioe) {
                throw new JspTagException(ioe.getMessage());

... and this solved the problem. Hopefully it will point you in the right 

Kind Rgds
Mason Blackwood
Comment 1 Pierre Delisle 2003-02-05 18:38:08 UTC
The behavior of formatNumber is according to spec.
The tag has not been designed to perform any sort of escaping
on the output value.