Bug 6295

Summary: TLV error messages should not contain HTML
Product: Taglibs Reporter: Hans Bergsten <hans>
Component: Standard TaglibAssignee: Tomcat Developers Mailing List <dev>
Status: CLOSED FIXED    
Severity: major    
Priority: P3    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Hans Bergsten 2002-02-07 05:19:32 UTC
The error messages returned by all TLVs contain HTML. They shouldn't, since it
may interfere with the JSP container's method of presenting the messages. For
instance, Tomcat 4.0.1 converts the strings so that the HTML elements are 
presented as regular text instead.
Comment 1 Shawn Bayern 2002-02-07 14:05:58 UTC
Thanks again for the report, Hans.

To my knowledge, there shouldn't be any HTML elements in the TLV's error
messages.  Do you mean HTML entity references?  For instance, we never use
anything like "You made a very <b>bad</b> error," but we do say:

    Illegal 'scope' attribute without 'var' in &lt;{0}&gt;

Should this instead be

    Illegal 'scope' attribute without 'var' in <{0}>

?  Also, are we sure Tomcat is compliant in this regard?  I'd hate to have 
portions of the message disappear because another container passed the brackets 
through.  :)

Thanks again.
Comment 2 Hans Bergsten 2002-02-07 18:07:48 UTC
You're right: what I saw were HTML entity references, not HTML elements. Sloppy
analysis on my part ;-) AFAIK, the spec doesn't say how the strings returned
by a TLV should be presented by the container, so to be safe I would stick to
non-special characters. Tomcat 4.0.1 obviously converts them to HTML entities,
e.g. & to &amp;, and that's why it doesn't look right. How about avoiding the
trickiest characters (&, <, >) and use something like this instead:

  Illegal 'scope' attribute without 'var' in '{0}'

Comment 3 Shawn Bayern 2002-02-07 18:23:42 UTC
Good thought; the metacharacters aren't necessary, so I've just avoided
them (using terminology like

  "c:forEach" tag 

instead of


).  (The double-quotes are important because I think single quotes
nullify the {} replacement.)