Bug 55735 - Additional quote entity in html element attribute evaluated in tagx if attribute contains EL expression
Summary: Additional quote entity in html element attribute evaluated in tagx if attrib...
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Jasper (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2013-11-02 06:14 UTC by azuo.lee
Modified: 2013-11-05 23:01 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description azuo.lee 2013-11-02 06:14:56 UTC
Well, after fix for Bug 55198, if a tag file contains
<a href="#" onclick="window.alert(&quot;${text}&quot;)">foobar</a>
It can now be correctly rendered as (if text='foobar')
<a href="#" onclick="window.alert(&quot;foobar&quot;)">foobar</a>

But, It is rendered completely wrongly as ***** IF text='&amp;foobar' *****
<a href="#" onclick="window.alert(&quot;&amp;amp;foobar&quot;)">foobar</a>

The EL expression ${text} should be rendered without any escape, but now it is
escaped just as other literal part in the attribute.

Generally, a tagx file's compiler must not make any assumption that it's output is a well-formed XML or not, it should just keep the literal atrribute or text as is, and output any EL expression directly. It's the tagx file's author's reponsibility to determine whether a text variable should be escaped, e.g.:
<a href="#" onclick="window.alert(&quot;${fn:escape(text)}&quot;)">foobar</a>

Suppose we have:
request.setAttribute("text", "2 &gt; 1");
And in a tagx file:
<div title="&quot;${text}&quot;">&quot;${text}&quot;</div>

The correct output could be:
<div title="&quot;2 &gt; 1&quot;">&quot;2 &gt; 1&quot;</div>

But neither
<div title="&quot;2 &amp;gt; 1&quot;">&quot;2 &gt; 1&quot;</div>

<div title=""2 > 1"">&quot;2 &gt; 1&quot;</div>
Comment 1 azuo.lee 2013-11-02 10:28:49 UTC
Um... it seems JSP spec doesn't clarify the behavior at all...

But XSLT does. If we "borrow" rules from XSLT, then some correct examples could be (text="2 &gt; 1"):

tagx/jspx:  <div title="&quot;${text}&quot;">ABCD</div>
output:     <div title="&quot;2 &amp;gt; 1&quot;">ABCD</div>

tagx/jspx:  <div>&quot;<c:out value="&amp;nbsp;${text}&quot;" escapeXml="false"></div>
output:     <div>&quot;&nbsp;2 &gt; 1"</div>

But XSLT doesn't allow expressions in template text, thus, what can be the correct result generated by the following example?

tagx/jspx:  <div>&quot;${text}&quot;</div>

Should it be
output:     <div>&quot;2 &amp;gt; 1&quot;</div>
output:     <div>"2 &gt; 1"</div>
output:     <div>&quot;2 &gt; 1&quot;</div>
output:     <div>"2 &amp;gt; 1"</div>

Comment 2 azuo.lee 2013-11-02 11:05:11 UTC

1. If you use jspx or tagx, then never use any EL expressions within attribute values, and always use JSTL <out> tag to output expression values within template content -- unless you know the expression value must not contain any
XML reserved characters;

2. Do not use jspx or tagx at all, use jsp and tag files instead -- whose behaviors are relatively determined.
Comment 3 Mark Thomas 2013-11-05 22:57:32 UTC
Thanks for the report. This was a regression in the fix for bug55198.

This has been fixed in trunk for 8.0.0-RC6 onwards.

This has been fixed in 7.0.x for 7.0.48 onwards.
Comment 4 Mark Thomas 2013-11-05 23:01:16 UTC
I've updated the back-port proposal for 55198 to include the fix for this regression so there is no need to keep this bug open.