Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-2829

Tag attributes values are not escaped properly during writeOutput

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Trivial
    • Resolution: Fixed
    • Affects Version/s: 1.4.7
    • Fix Version/s: 1.5-RC1
    • Component/s: wicket
    • Labels:
      None
    • Environment:
      Wicket 1.4.7

      Description

      In WICKET-741, the double quote character was escaped. But the characters: ' (single quote) and & (ampersand) are not escaped.
      With & not escaped, if it is included in an attribute value, the result is not XML compliant and XHTML validations marks it as an error.
      With ' not escaped, if single quote is used instead of double quote as in:
      <tag attribute='value'/>
      The result will be broken just as double quote was before WICKET-741.

      I'm not sure if < and > characters should also be escaped. Some validators/parsers allow them, but some other mark them as errors. I would also replace them.

      I suggest adding the lines marked below to ComponentTag.writeOutput:

      // attributes without values are possible, e.g.' disabled'
      if (value != null)
      {
      response.write("=\"");
      value = Strings.replaceAll(value, "&", "&"); // <--- added
      value = Strings.replaceAll(value, "\"", """);
      value = Strings.replaceAll(value, "\'", "'"); // <----- added
      value = Strings.replaceAll(value, "<", "<"); // <----- added
      value = Strings.replaceAll(value, ">", ">"); // <----- added
      response.write(value);
      response.write("\"");
      }

        Attachments

        1. a.html
          0.1 kB
          Attila Király

          Issue Links

            Activity

              People

              • Assignee:
                mgrigorov Martin Tzvetanov Grigorov
                Reporter:
                rgevaerd Rodrigo Faria
              • Votes:
                1 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: