Bug 16758 - JSTL formatNumber tag not escaping characters
Summary: JSTL formatNumber tag not escaping characters
Alias: None
Product: Taglibs
Classification: Unclassified
Component: Standard Taglib (show other bugs)
Version: unspecified
Hardware: PC All
: P3 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2003-02-04 14:31 UTC by Mason Blackwood
Modified: 2005-03-20 17:06 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Mason Blackwood 2003-02-04 14:31:44 UTC
The formatNumber tags for both rt and el are not escaping characters before 
embedding into the response. Our web app is currently using JSTL 1.0.1, but 
I've downloaded the latest nightly build and the problem still exists. 

For example, request locale is en_GB, and I use this in my JSP...

<format:formatNumber value="${oneOffCharge}" type="currency" />

... and assuming oneOffCharge is set to 12.34, the response generated (viewing 
the HTML source) will be...


The £ is an HTML escape character, and should be formatted as &#163; before 
being embedded in the response, so the resulting HTML should read...


Having a quick look at the code, both tags extend 
org.apache.taglibs.standard.tag.common.fmt.FormatNumberSupport, in this class, 
in the doEndTag() method, I added...

formatted = HtmlEncoder.encode(formatted);

[org.apache.taglibs.standard.lang.jpath.encoding.HtmlEncoder supplied with the 

... just before...

        if (var != null) {
            pageContext.setAttribute(var, formatted, scope);
        } else {
            try {
            } catch (IOException ioe) {
                throw new JspTagException(ioe.getMessage());

... and this solved the problem. Hopefully it will point you in the right 

Kind Rgds
Mason Blackwood
Comment 1 Pierre Delisle 2003-02-05 18:38:08 UTC
The behavior of formatNumber is according to spec.
The tag has not been designed to perform any sort of escaping
on the output value.