[LANG-363] StringEscapeUtils.escapeJavaScript() method did not escape '/' into '\/', it will make IE render page uncorrectly - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.3
Fix Version/s: 2.4
Component/s: None
Labels:
None
Environment:

JDK1.5 + commons-lang-2.3.jar + IE 6.0

Description

If Javascripts including'/', IE will parse the scripts uncorrectly, actually '/' should be escaped to '\/'.
For example, document.getElementById("test").value = '<script>alert(\'aaa\');</script>';this expression will make IE render page uncorrect, it should be document.getElementById("test").value = '<script>alert(\'aaa\');<\/script>';

Btw, Spring's JavascriptEscape behavor is correct.
Try to run below codes, you will find the difference:
String s = "<script>alert('aaa');</script>";
String str = org.springframework.web.util.JavaScriptUtils.javaScriptEscape(s);
System.out.println("Spring JS Escape : "+str);
str = org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(s);
System.out.println("Apache Common Lang JS Escape : "+ str);

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

patch.txt
25/Oct/07 16:48
2 kB
Scott Bassin

Issue Links

relates to

LANG-437 Complaints that the IE fix for StringEscapeUtils.escapeJavaScript is causing problems elsewhere. Rollback?

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Situ Chenghao

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 23/Oct/07 07:12

Updated:: 11/May/08 05:02

Resolved:: 26/Oct/07 06:09