In org.apache.catalina.ssi.SSIProcessor the method parseParamNames is broken. If I have a SSI directive like <!--#set var="test" value="blubb\"\"" --> the method detects three parameters instead of two. This is because there are two consecutive escaped characters. Although the first one \" is detected correctly the next one isn't because the flag escaped is still set to true, although this character isn't escaped anymore. You have to replace boolean escaped = false; for (; bIdx < cmd.length() && quotes != 2; bIdx++) { char c = cmd.charAt(bIdx); // Need to skip escaped characters if (c == '\\' && !escaped) { escaped = true; bIdx++; continue; } escaped = false; if (c == '"') quotes++; } by for (; bIdx < cmd.length() && quotes != 2; bIdx++) { char c = cmd.charAt(bIdx); // Need to skip escaped characters if (c == '\\') { bIdx++; continue; } if (c == '"') quotes++; } Just removing the flag escaped is sufficient, because you don't have to remember whether the last character was escaped and that should have no influence to consecutive characters. The bug still exists in the HEAD revision of the repository.
Your proposed patch isn't quire right. For example, you have to know if the previous character is escaped or not if you have two \ in a row. I have committed a fix to trunk and proposed it for 6.0.x.
The patch has been applied to 6.0.x and will be in 6.0.17 onwards.