|Summary:||attribute values within a .tag(x) file are not properly escaped|
|Product:||Tomcat 6||Reporter:||Lucas Galfaso <lgalfaso>|
|Component:||Jasper||Assignee:||Tomcat Developers Mailing List <dev>|
Description Lucas Galfaso 2007-10-12 18:29:40 UTC
Attribute values within a .tag(x) file are not properly escaped when they are converted into .java files. E.g Create a .tagx file with this content <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" xmlns="http://www.w3.org/1999/xhtml" version="2.1"> <div test='"'>Hello world</div> </jsp:root> Call this tag from a .jsp page. Will attach a patch within some minutes
Comment 2 Mark Thomas 2008-04-23 14:51:28 UTC
I think you meant " rather than & in your patch. I have commited a variation to trunk and proposed it for 6.0.x
Comment 3 Lucas Galfaso 2008-04-25 14:57:46 UTC
Hi Mark and sorry to bug you, but the commited patch is still not good, the test case is <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" xmlns="http://www.w3.org/1999/xhtml" version="2.1"> <div test='"' thisIsPartOfTheAttributeValueAndNotANewAttribute=&apos:-)''>Hello world</div> </jsp:root> I think there is no way around to inserting the xml escape code.
Comment 4 Mark Thomas 2008-04-25 15:40:15 UTC
Thanks for the additional test case. I have applied a better patch based on your original proposal.
Comment 5 Mark Thomas 2008-05-01 10:55:02 UTC
The fix has been committed and will be in 6.0.17 onwards.