Bug 31054 - XML character entities in attributes not resolved in EL expressions
Summary: XML character entities in attributes not resolved in EL expressions
Status: RESOLVED INVALID
Alias: None
Product: Taglibs
Classification: Unclassified
Component: Standard Taglib (show other bugs)
Version: 1.0.5
Hardware: PC All
: P3 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-03 18:30 UTC by Todd Trimmer
Modified: 2005-03-20 17:06 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Todd Trimmer 2004-09-03 18:30:00 UTC
In a JSP if I enter:

    <c:out value="${param[&quot;action&quot;]}" />

The EL parser will complain about the first '&'. But why is the '&' even getting
that far? Why aren't the character entities in the XML attribute resolved before
getting passed into the tag handler?
Comment 1 Justyna Horwat 2004-10-18 22:17:23 UTC
With JSP 2.0 the parser for JSP will consider the escaping rules for this attribute according to section 1.6 
of the JSP 2.0 spec. There it lists "&quot;" as a valid way to escape a quotation mark.

By the way, the escaping is not in the domain of the EL Evaluator since the escaping rules should have 
already been applied by the JSP parser before the expression evaluation begins.

I wrote a jsp to verify that the escaping rules are followed correctly on a JSP 2.0 container. I used 
Tomcat 5.0.25:

----
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>

<c:set var="singleTick"><c:out value="${param['singleTick']}" default="\'"/></c:set>
<c:set var="doubleTick"><c:out value="${param[\"doubleTick\"]}" default="\""/></c:set>
<c:set var="xmlEntity"><c:out value="${param[&quot;xmlEntity&quot;]}" default="&quot;"/></c:set>


<h1>Testing different ways to nest quotes</h1>
<ul>
  <li>Single tick quotation mark: <c:out value="${singleTick}" escapeXml="false"/></li>
  <li>Double tick quotation mark: <c:out value="${doubleTick}" escapeXml="false"/></li>
  <li>Xml '&quot;' entity: <c:out value="${xmlEntity}" escapeXml="false"/></li>
</ul>
----

The result of running this page should be:
----
Single tick quotation mark: '
Double tick quotation mark: "
Xml '"' entity: "
----

If you are using a JSP 1.2 container with JSTL 1.0, I don't think that "&quot;" was a valid way to escape a 
quotation. You can easily work around this by either using the single tick character: ', or escaping the 
double tick character: \".