| Summary: | XML character entities in attributes not resolved in EL expressions | ||
|---|---|---|---|
| Product: | Taglibs | Reporter: | Todd Trimmer <todd.trimmer> |
| Component: | Standard Taglib | Assignee: | Tomcat Developers Mailing List <dev> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | ||
| Priority: | P3 | ||
| Version: | 1.0.5 | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | All | ||
With JSP 2.0 the parser for JSP will consider the escaping rules for this attribute according to section 1.6 of the JSP 2.0 spec. There it lists """ as a valid way to escape a quotation mark. By the way, the escaping is not in the domain of the EL Evaluator since the escaping rules should have already been applied by the JSP parser before the expression evaluation begins. I wrote a jsp to verify that the escaping rules are followed correctly on a JSP 2.0 container. I used Tomcat 5.0.25: ---- <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> <c:set var="singleTick"><c:out value="${param['singleTick']}" default="\'"/></c:set> <c:set var="doubleTick"><c:out value="${param[\"doubleTick\"]}" default="\""/></c:set> <c:set var="xmlEntity"><c:out value="${param["xmlEntity"]}" default="""/></c:set> <h1>Testing different ways to nest quotes</h1> <ul> <li>Single tick quotation mark: <c:out value="${singleTick}" escapeXml="false"/></li> <li>Double tick quotation mark: <c:out value="${doubleTick}" escapeXml="false"/></li> <li>Xml '"' entity: <c:out value="${xmlEntity}" escapeXml="false"/></li> </ul> ---- The result of running this page should be: ---- Single tick quotation mark: ' Double tick quotation mark: " Xml '"' entity: " ---- If you are using a JSP 1.2 container with JSTL 1.0, I don't think that """ was a valid way to escape a quotation. You can easily work around this by either using the single tick character: ', or escaping the double tick character: \". |
In a JSP if I enter: <c:out value="${param["action"]}" /> The EL parser will complain about the first '&'. But why is the '&' even getting that far? Why aren't the character entities in the XML attribute resolved before getting passed into the tag handler?