Attribute values within a .tag(x) file are not properly escaped when they are converted into .java files. E.g Create a .tagx file with this content <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" xmlns="http://www.w3.org/1999/xhtml" version="2.1"> <div test='"'>Hello world</div> </jsp:root> Call this tag from a .jsp page. Will attach a patch within some minutes
Created attachment 20973 [details] Proposed patch
I think you meant " rather than & in your patch. I have commited a variation to trunk and proposed it for 6.0.x
Hi Mark and sorry to bug you, but the commited patch is still not good, the test case is <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" xmlns="http://www.w3.org/1999/xhtml" version="2.1"> <div test='"' thisIsPartOfTheAttributeValueAndNotANewAttribute=&apos:-)''>Hello world</div> </jsp:root> I think there is no way around to inserting the xml escape code.
Thanks for the additional test case. I have applied a better patch based on your original proposal.
The fix has been committed and will be in 6.0.17 onwards.