Bug 31054

Summary: XML character entities in attributes not resolved in EL expressions
Product: Taglibs Reporter: Todd Trimmer <todd.trimmer>
Component: Standard TaglibAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P3    
Version: 1.0.5   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Todd Trimmer 2004-09-03 18:30:00 UTC
In a JSP if I enter:

    <c:out value="${param[&quot;action&quot;]}" />

The EL parser will complain about the first '&'. But why is the '&' even getting
that far? Why aren't the character entities in the XML attribute resolved before
getting passed into the tag handler?
Comment 1 Justyna Horwat 2004-10-18 22:17:23 UTC
With JSP 2.0 the parser for JSP will consider the escaping rules for this attribute according to section 1.6 
of the JSP 2.0 spec. There it lists "&quot;" as a valid way to escape a quotation mark.

By the way, the escaping is not in the domain of the EL Evaluator since the escaping rules should have 
already been applied by the JSP parser before the expression evaluation begins.

I wrote a jsp to verify that the escaping rules are followed correctly on a JSP 2.0 container. I used 
Tomcat 5.0.25:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>

<c:set var="singleTick"><c:out value="${param['singleTick']}" default="\'"/></c:set>
<c:set var="doubleTick"><c:out value="${param[\"doubleTick\"]}" default="\""/></c:set>
<c:set var="xmlEntity"><c:out value="${param[&quot;xmlEntity&quot;]}" default="&quot;"/></c:set>

<h1>Testing different ways to nest quotes</h1>
  <li>Single tick quotation mark: <c:out value="${singleTick}" escapeXml="false"/></li>
  <li>Double tick quotation mark: <c:out value="${doubleTick}" escapeXml="false"/></li>
  <li>Xml '&quot;' entity: <c:out value="${xmlEntity}" escapeXml="false"/></li>

The result of running this page should be:
Single tick quotation mark: '
Double tick quotation mark: "
Xml '"' entity: "

If you are using a JSP 1.2 container with JSTL 1.0, I don't think that "&quot;" was a valid way to escape a 
quotation. You can easily work around this by either using the single tick character: ', or escaping the 
double tick character: \".