Bug 43617

Summary: attribute values within a .tag(x) file are not properly escaped
Product: Tomcat 6 Reporter: Lucas Galfaso <lgalfaso>
Component: JasperAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 6.0.14   
Target Milestone: default   
Hardware: Other   
OS: All   
Attachments: Proposed patch

Description Lucas Galfaso 2007-10-12 18:29:40 UTC 
Attribute values within a .tag(x) file are not properly escaped when they are
converted into .java files.
E.g
Create a .tagx file with this content

<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
          xmlns="http://www.w3.org/1999/xhtml"
          version="2.1">
  <div test='"'>Hello world</div>
</jsp:root>

Call this tag from a .jsp page.

Will attach a patch within some minutes
Comment 1 Lucas Galfaso 2007-10-12 18:30:43 UTC 
Created attachment 20973 [details]
Proposed patch
Comment 2 Mark Thomas 2008-04-23 14:51:28 UTC 
I think you meant &quot; rather than &amp; in your patch.

I have commited a variation to trunk and proposed it for 6.0.x
Comment 3 Lucas Galfaso 2008-04-25 14:57:46 UTC 
Hi Mark and sorry to bug you, but the commited patch is still not good, the test case is

<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
          xmlns="http://www.w3.org/1999/xhtml"
          version="2.1">
  <div test='"&apos; thisIsPartOfTheAttributeValueAndNotANewAttribute=&apos:-)&apos;'>Hello world</div>
</jsp:root>

I think there is no way around to inserting the xml escape code.
Comment 4 Mark Thomas 2008-04-25 15:40:15 UTC 
Thanks for the additional test case. I have applied a better patch based on your original proposal.
Comment 5 Mark Thomas 2008-05-01 10:55:02 UTC 
The fix has been committed and will be in 6.0.17 onwards.