Click
  1. Click
  2. CLK-31

Escaping Quote Characters in Components' toString

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: core
    • Labels:
      None
    • Environment:
      All

      Description

      First off, thanks for Click. It's great!

      I've run into some minor trouble with attribute, name, id, and field values that contain single-quote (') characters. Since the toString wraps attribute values in single-quotes, attribute values containing single-quotes cause invalid HTML to be emitted in the resulting webpages.

      As an expedient to get past my problem at hand, I modified the toString method of TextField to perform a replaceAll("'", "'")) on the getValue call. (Just in case JIRA chokes on the replacement string, it is ampersand-octothorpe-3-9-semicolon.) String.replaceAll is not available in Java 1.3 and earlier, but I don't think this is a problem for Click since the "Building" page specs "1.4 or later".

      Please consider making this change for the HTML-emitting toString methods.

      Thank you,

      Mike Organek

        Activity

        Hide
        Malcolm Edgar added a comment -

        Will include fix in 0.15 release.

        There are possibly situations where single quote needs to be preserved, such as JavaScript. Will need to invistigate. Could you please attach your modified TextField.java file.

        thanks Malcolm

        Show
        Malcolm Edgar added a comment - Will include fix in 0.15 release. There are possibly situations where single quote needs to be preserved, such as JavaScript. Will need to invistigate. Could you please attach your modified TextField.java file. thanks Malcolm
        Hide
        Mike Organek added a comment -

        Malcolm,

        Thank you for the quick response.

        I have attached the TextField.java as you requested. The diff looks like:

        300c300
        < buffer.append(getValue());

        > buffer.append(getValue().replaceAll("'", "'"));

        I did run into a JavaScript problem earlier that would be solved by doing the same thing. The code looked something like this:

        Submit sb = new Submit("Delete Record");
        sb.setAttribute("onclick", "return confirm(\"Are you sure. . . this user's record?\");");

        I think the correct escape sequence for "user's" to get it to work as the argument to the JavaScript confirm() is one of: "\\\\'" or "\\\'". I didn't get that far: I just reworded the confirmation dialog

        I just tested the conversion with JavaScript in FireFox 1.0.7/Linux, and the following works:

        onclick='return confirm('This is a test');'

        While this does not:

        onclick='return confirm(\'This is a test\');'

        Thank you,

        Mike Organek

        Show
        Mike Organek added a comment - Malcolm, Thank you for the quick response. I have attached the TextField.java as you requested. The diff looks like: 300c300 < buffer.append(getValue()); — > buffer.append(getValue().replaceAll("'", "'")); I did run into a JavaScript problem earlier that would be solved by doing the same thing. The code looked something like this: Submit sb = new Submit("Delete Record"); sb.setAttribute("onclick", "return confirm(\"Are you sure. . . this user's record?\");"); I think the correct escape sequence for "user's" to get it to work as the argument to the JavaScript confirm() is one of: "\\\\'" or "\\\'". I didn't get that far: I just reworded the confirmation dialog I just tested the conversion with JavaScript in FireFox 1.0.7/Linux, and the following works: onclick='return confirm('This is a test');' While this does not: onclick='return confirm(\'This is a test\');' Thank you, Mike Organek
        Hide
        Malcolm Edgar added a comment -

        The fix will use a new HtmlStringBuffer class which will handle rendering of HTML element and escaping their attribute values.

        This will probably be available next week.

        regards Malcolm Edgar

        Show
        Malcolm Edgar added a comment - The fix will use a new HtmlStringBuffer class which will handle rendering of HTML element and escaping their attribute values. This will probably be available next week. regards Malcolm Edgar
        Hide
        Malcolm Edgar added a comment -

        Escape handling changes are checked into CVS.

        regards Malcolm Edgar

        Show
        Malcolm Edgar added a comment - Escape handling changes are checked into CVS. regards Malcolm Edgar
        Hide
        Malcolm Edgar added a comment -

        Will be available in release 0.15

        Show
        Malcolm Edgar added a comment - Will be available in release 0.15

          People

          • Assignee:
            Malcolm Edgar
            Reporter:
            Mike Organek
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development