Issue Details (XML | Word | Printable)

Key: LANG-363
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Minor Minor
Assignee: Unassigned
Reporter: Situ Chenghao
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
Commons Lang

StringEscapeUtils.escapeJavaScript() method did not escape '/' into '\/', it will make IE render page uncorrectly

Created: 23/Oct/07 07:12 AM   Updated: 11/May/08 05:02 AM
Component/s: None
Affects Version/s: 2.3
Fix Version/s: 2.4

Time Tracking:
Not Specified

File Attachments:
  File Name Date Attached Attached By Size
Text File Licensed for inclusion in ASF works patch.txt 2007-10-25 04:48 PM Scott Bassin 2 kB
Environment: JDK1.5 + commons-lang-2.3.jar + IE 6.0
Issue Links:
Reference
 

Resolution Date: 26/Oct/07 06:09 AM


 Description  « Hide
If Javascripts including'/', IE will parse the scripts uncorrectly, actually '/' should be escaped to '\/'.
For example, document.getElementById("test").value = '<script>alert(\'aaa\');</script>';this expression will make IE render page uncorrect, it should be document.getElementById("test").value = '<script>alert(\'aaa\');<\/script>';

Btw, Spring's JavascriptEscape behavor is correct.
Try to run below codes, you will find the difference:
String s = "<script>alert('aaa');</script>";
String str = org.springframework.web.util.JavaScriptUtils.javaScriptEscape(s);
System.out.println("Spring JS Escape : "+str);
str = org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(s);
System.out.println("Apache Common Lang JS Escape : "+ str);

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Scott Bassin added a comment - 25/Oct/07 04:48 PM
Here's a patch that should fix the issue described. Also included is an extra assertion in testEscapeJavaScript of StringEscapeUtilsTest.

[ Permlink | « Hide ]
Henri Yandell added a comment - 26/Oct/07 06:07 AM
Heh - I even had a play with this when looking at the Spring one: http://opensource.atlassian.com/projects/spring/browse/SPR-1754

Not sure why I didn't submit a fix, probably too green with Spring at the time.


[ Permlink | « Hide ]
Henri Yandell added a comment - 26/Oct/07 06:09 AM
Thanks again Scott (and Situ for reporting it), patch applied:

svn ci -m "Applying Scott Bassin's fix and test from LANG-363" src/test/org/apache/commons/lang/StringEscapeUtilsTest.java src/java/org/apache/commons/lang/StringEscapeUtils.java

Sending src/java/org/apache/commons/lang/StringEscapeUtils.java
Sending src/test/org/apache/commons/lang/StringEscapeUtilsTest.java
Transmitting file data ..
Committed revision 588534.


[ Permlink | « Hide ]
Gary Gregory added a comment - 03/Apr/08 01:22 PM
fix typo in summary field

[ Permlink | « Hide ]
Henri Yandell added a comment - 11/May/08 05:02 AM
See LANG-437 for conversation about rolling this fix back. There are user complaints on the list that the change is causing problems.


Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators