Hello, in StringW the function truncateNicely has following bug: Any escaped XML tags are handled as single letters. This is at least annoying, and can perhaps in some very very special circumstances be used to mask data for an injection attack. The following change fix that Problem: public static String truncateNicely(String str, int lower, int upper, String appendToEnd) { // strip markup from the string str = XmlW.removeXml(str); // unescape temporarely for length handling str = XmlW.unescapeXml(str); // quickly adjust the upper if it is set lower than 'lower' if(upper < lower) { upper = lower; } // now determine if the string fits within the upper limit // if it does, go straight to return, do not pass 'go' and collect $200 if(str.length() > upper) { // the magic location int int loc; // first we determine where the next space appears after lower loc = str.lastIndexOf(' ', upper); // now we'll see if the location is greater than the lower limit if(loc >= lower) { // yes it was, so we'll cut it off here str = str.substring(0, loc); } else { // no it wasnt, so we'll cut it off at the upper limit str = str.substring(0, upper); } // the string was truncated, so we append the appendToEnd String str = str + appendToEnd; } // escape after finished processing string str = XmlW.escapeXml(str); return str; }
Makes sense to me. Change applied. svn ci -m "Applying suggested change from bug 41852. " src/org/apache/taglibs/string/util/StringW.java Sending src/org/apache/taglibs/string/util/StringW.java Transmitting file data . Committed revision 521371.