Bug 45015 - Quoting in attributes
Quoting in attributes
Status: RESOLVED FIXED
Product: Tomcat 6
Classification: Unclassified
Component: Servlet & JSP API
6.0.26
PC Windows Vista
: P2 normal (vote)
: default
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2008-05-16 04:22 UTC by Eric Taix
Modified: 2014-02-17 13:41 UTC (History)
3 users (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Taix 2008-05-16 04:22:28 UTC
According to JSP 2.0 specification (chapter 1.7 page 72,73)

This code is illegal:
<mytags:tag value="<%= "hi!" %>" />

Instead the correct sentence would be:
<mytags:tag value='<%= "hi!" %>' />
<mytags:tag value="<%= \"hi!\" %>" />
<mytags:tag value='<%= \"name\" %>' />
...

But Tomcat 5.5 accept the first sentence. It's not a real bug but accepting a wrong sentence allow developpers to write code which does not respect the JSP specification. And when this code is executing in another servlet container (Websphere 6.1 for example) it doesn't work.
Comment 1 Mark Thomas 2008-05-16 15:31:29 UTC
This has been fixed in trunk and proposed for 5.5.x and 6.0.x
Comment 2 Mark Thomas 2008-06-26 12:54:27 UTC
This has been fixed in 6.0.x and will be in 6.0.17 onwards.
Comment 3 Cédrik LIME 2008-08-07 09:54:16 UTC
A quick note to anyone being bitten by this bug fix: you can easily search which of your JSPs (*.jsp*) need to be updated with the following regular expression (take a deep breath):

<\w+:[^>]+="[^<"]*<%=[^%]*"|<\w+:[^>]+='[^<']*<%=[^%]*'

Unfortunately, I haven't found a way to automatically fix JSPs, but at least you (hopefully) won't forget any!
Comment 4 Mark Thomas 2008-08-14 02:04:39 UTC
This has been fixed in 5.5.x and will be included in 5.5.27 onwards.
Comment 5 Tapas Adhikary 2008-10-01 01:30:09 UTC
Mark,
I am using Tomcat 5.5.27 on Linux but still facing the problem.
I am using c:ret tld and using following code in my abc.jsp,

<c-rt:set var="currUrl" value="<%=request.getAttribute((String)pageContext.getAttribute("param")+"_Url")%>" />
While jsp compilation , I am getting following error,
org.apache.jasper.JasperException: file:browser/abc.jsp(51,42) Attribute value request.getAttribute((String)pageContext.getAttribute("param")+"_Url") is quoted with " which must be escaped when used within the value.

When I modify the code with escape character it works fine.This is my modified code,
<c-rt:set var="currUrl" value="<%=request.getAttribute((String)pageContext.getAttribute(\"param\")+\"_Url\")%>" />

According to comment # 4 this issue is resolved. But I am not sure if it is resolved for Linux version of Tomcat 5.5.27 too.

Let me know if you need more info on this.

One quick question , Do I have to set any Tomcat JVM options to get rid of the issue temporarily??


Comment 6 Tapas Adhikary 2008-10-01 02:16:03 UTC
I see the same issue for some files having nested quotes and dont see it for some other files having the same kind of nested quoting.

The kind of quoting giving the problem is mentioned in my previous comment.
But the following seam to the working.
id="<%= c.var("ActivityBanner.Name") %><%= c.var("ActivityBanner.Index") %>"

I don't see any particular standard way in which it fails. Both the cases i have used tomcat 5.5.27
Comment 7 Mark Thomas 2008-10-01 03:47:06 UTC
Re comment 5, what you are seeing is the correct behaviour. The checking can be relaxed. See http://tomcat.apache.org/tomcat-5.5-doc/config/systemprops.html

Re comment 6, that could be a bug. Can you provide the simplest complete JSP that demonstrates the issue please.
Comment 8 Mark Thomas 2008-10-03 08:39:53 UTC
I have done some more testing and I can't repeat the issue reported in comment 6. If you still see it, please re-open this report and add the simplest JSP that demonstrates the issue.
Comment 9 Sam 2008-10-06 04:44:46 UTC
Hi,

I use apache-tomcat-6.0.18 with jdk1.5.0_13. Ant version is apache-ant-1.6.2.

[b]While using ant to pre-compile JSPs, i get the error message related to quotes and compilation fails.[/b]

See user list discussion 
http://mail-archives.apache.org/mod_mbox/tomcat-users/200810.mbox/%3C20D88322B9D55444A327FEB661C303900BD408E4@HYD-MDP-MBX01.wipro.com%3E 

I have tried all that i could (available in link above), but it seems it does not work without code changes. i.e. the System property is not effective for precompilation

Please check if this is a bug as this is a blocker for us now?
Comment 10 Mark Thomas 2008-10-06 06:19:56 UTC
Comment #9 is a question for the Tomcat users list, or possibly even the Ant users list.
Comment 11 Sean Stephenson 2009-08-25 08:50:53 UTC
Thanks to Cedric for the helpful regex.  I've modified it a bit so it can actually be used to replace and fix (most) instances of this problem automatically.  If you have an IDE that supports regex replace (I used IDEA), do a replace in path for this regex:

(<\w+:(?:[^>]|<%=[^%]+%>)+=)"([^<"]*<%=[^%]*"[^%]*%>[^"]*)"

For the replacement text, enter:

$1'$2'

Doing this was a necessity for me as I had to make thousands of changes to over 300 JSP files on the code base I'm working on.  I have to say I think this should have been implemented as an opt-in fix via a config or something, rather than breaking backward compatibility for every tomcat user.  Please be more careful in the future guys.  We rely on you to not do things like this to us.
Comment 12 Sean Stephenson 2009-08-25 08:59:35 UTC
Ok.  I guess I should have read this thread a little more carefully before spending hours fixing all this.  So there is an opt-out for the strict parsing.

http://tomcat.apache.org/tomcat-5.5-doc/config/systemprops.html

Too late for me.  Maybe it would be helpful to put something like "or disable strict quote checking" in the error message?
Comment 13 youweiwang 2009-11-12 00:05:07 UTC
You can add this config option to the file "catalina.properties" which is in the directory of "%tomcat_home%/conf",as follows:
org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false
And the problem will be resolved
(In reply to comment #3)
> A quick note to anyone being bitten by this bug fix: you can easily search
> which of your JSPs (*.jsp*) need to be updated with the following regular
> expression (take a deep breath):
> 
> <\w+:[^>]+="[^<"]*<%=[^%]*"|<\w+:[^>]+='[^<']*<%=[^%]*'
> 
> Unfortunately, I haven't found a way to automatically fix JSPs, but at least
> you (hopefully) won't forget any!
Comment 14 William Leung 2010-03-23 07:17:47 UTC
Test in TC 6.0.26, the "strip quote escaping Parser" didn't work.

-- JUST use this testing code
<mytags:tag value="<%= "hi!" %>" />

-- I setup a jspc command line to debug the JspC
-- Then I reaches this stack frames
main@1, prio=5, in group 'main', status: 'RUNNING'
	  at org.apache.jasper.compiler.AttributeParser.getUnquoted(AttributeParser.java:54)
	  at org.apache.jasper.compiler.Parser.parseAttributeValue(Parser.java:249)
	  at org.apache.jasper.compiler.Parser.parseAttribute(Parser.java:205)
	  at org.apache.jasper.compiler.Parser.parseAttributes(Parser.java:148)
	  at org.apache.jasper.compiler.Parser.parseCustomTag(Parser.java:1204)
	  at org.apache.jasper.compiler.Parser.parseElementsScriptless(Parser.java:1467)
	  at org.apache.jasper.compiler.Parser.parseElements(Parser.java:1385)
	  at org.apache.jasper.compiler.Parser.parseBody(Parser.java:1630)
	  at org.apache.jasper.compiler.Parser.parseOptionalBody(Parser.java:974)
	  at org.apache.jasper.compiler.Parser.parseCustomTag(Parser.java:1242)
	  at org.apache.jasper.compiler.Parser.parseElementsScriptless(Parser.java:1467)
	  at org.apache.jasper.compiler.Parser.parseElements(Parser.java:1385)
	  at org.apache.jasper.compiler.Parser.parseBody(Parser.java:1630)
	  at org.apache.jasper.compiler.Parser.parseOptionalBody(Parser.java:974)
	  at org.apache.jasper.compiler.Parser.parseCustomTag(Parser.java:1242)
	  at org.apache.jasper.compiler.Parser.parseElementsScriptless(Parser.java:1467)
	  at org.apache.jasper.compiler.Parser.parseElements(Parser.java:1385)
	  at org.apache.jasper.compiler.Parser.parseBody(Parser.java:1630)
	  at org.apache.jasper.compiler.Parser.parseOptionalBody(Parser.java:974)
	  at org.apache.jasper.compiler.Parser.parseCustomTag(Parser.java:1242)
	  at org.apache.jasper.compiler.Parser.parseElementsScriptless(Parser.java:1467)
	  at org.apache.jasper.compiler.Parser.parseBody(Parser.java:1633)
	  at org.apache.jasper.compiler.Parser.parseJspBody(Parser.java:1584)
	  at org.apache.jasper.compiler.Parser.parseJspAttributeAndBody(Parser.java:1001)
	  at org.apache.jasper.compiler.Parser.parseOptionalBody(Parser.java:972)
	  at org.apache.jasper.compiler.Parser.parseCustomTag(Parser.java:1242)
	  at org.apache.jasper.compiler.Parser.parseElements(Parser.java:1418)
	  at org.apache.jasper.compiler.Parser.parse(Parser.java:130)
	  at org.apache.jasper.compiler.ParserController.doParse(ParserController.java:255)
	  at org.apache.jasper.compiler.ParserController.parse(ParserController.java:103)
	  at org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:185)
	  at org.apache.jasper.compiler.Compiler.compile(Compiler.java:347)
	  at org.apache.jasper.JspC.processFile(JspC.java:1182)
	  at org.apache.jasper.JspC.execute(JspC.java:1331)
	  at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-1)
	  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	  at java.lang.reflect.Method.invoke(Method.java:597)
	  at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:105)
	  at org.apache.tools.ant.TaskAdapter.execute(TaskAdapter.java:134)
	  at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)
	  at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-1)
	  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	  at java.lang.reflect.Method.invoke(Method.java:597)
	  at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:105)
	  at org.apache.tools.ant.Task.perform(Task.java:348)
	  at org.apache.tools.ant.Target.execute(Target.java:357)
	  at org.apache.tools.ant.Target.performTasks(Target.java:385)
	  at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1329)
	  at org.apache.tools.ant.Project.executeTarget(Project.java:1298)
	  at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
	  at org.apache.tools.ant.Project.executeTargets(Project.java:1181)
	  at org.apache.tools.ant.Main.runBuild(Main.java:698)
	  at org.apache.tools.ant.Main.startAnt(Main.java:199)
	  at org.apache.tools.ant.launch.Launcher.run(Launcher.java:257)
	  at org.apache.tools.ant.launch.Launcher.main(Launcher.java:104)

-- In this frame: parseAttributeValue(Parser.java:249) - 
   The method signature is: private String parseAttributeValue(String watch) throws JasperException
   We can see the parameter (watch)'s value is three characters: '%', '>', '"' 
   So after this code fragment executed
   -> 245      char quote = 0;
   -> 246      if (watch.length() == 1) {
   -> 247          quote = watch.charAt(0);
   -> 248      }
   the "quote" variable is actually 0
   so event the system property "org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING" isn't set to "false"
   the strit parser didn't report for this problem 
   ->  (codes in org.apache.jasper.compiler.AttributeParser)
   -> 307      } else if (ch == quote && strict) {
   -> 308          String msg = Localizer.getMessage("jsp.error.attribute.noescape",
   -> 309                  input, ""+ quote);
   -> 310          throw new IllegalArgumentException(msg);
   -> 311      } else {
   the line 307's condition should never be evaluated to "true"
Comment 15 William Leung 2010-03-23 12:09:56 UTC
Test this issue in 6.0.20, and it works. So there should be a regression between 6.0.21 and 6.0.26
Comment 16 Mark Thomas 2010-03-25 21:41:02 UTC
Confirmed. I have a failing test case. I'll add that to trunk and then work on a fix.
Comment 17 Mark Thomas 2010-03-25 22:51:23 UTC
This has been re-fixed in trunk and proposed for 6.0.x

Moving to 6.0.x since the regression does not exist in 5.5.x
Comment 18 Mark Thomas 2010-05-14 15:27:43 UTC
This has been fixed in 6.0.x and will be included in 6.0.27 onwards.
Comment 19 bj92 2011-06-30 14:54:22 UTC
adding org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false in catalina.properties worked for me

Thanks to (In reply to comment #13)
> You can add this config option to the file "catalina.properties" which is in
> the directory of "%tomcat_home%/conf",as follows:
> org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false
> And the problem will be resolved
> (In reply to comment #3)
> > A quick note to anyone being bitten by this bug fix: you can easily search
> > which of your JSPs (*.jsp*) need to be updated with the following regular
> > expression (take a deep breath):
> > 
> > <\w+:[^>]+="[^<"]*<%=[^%]*"|<\w+:[^>]+='[^<']*<%=[^%]*'
> > 
> > Unfortunately, I haven't found a way to automatically fix JSPs, but at least
> > you (hopefully) won't forget any!

Worked for me, thanks !!