Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-2829

Tag attributes values are not escaped properly during writeOutput

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Trivial
    • Resolution: Fixed
    • 1.4.7
    • 1.5-RC1
    • wicket
    • None
    • Wicket 1.4.7

    Description

      In WICKET-741, the double quote character was escaped. But the characters: ' (single quote) and & (ampersand) are not escaped.
      With & not escaped, if it is included in an attribute value, the result is not XML compliant and XHTML validations marks it as an error.
      With ' not escaped, if single quote is used instead of double quote as in:
      <tag attribute='value'/>
      The result will be broken just as double quote was before WICKET-741.

      I'm not sure if < and > characters should also be escaped. Some validators/parsers allow them, but some other mark them as errors. I would also replace them.

      I suggest adding the lines marked below to ComponentTag.writeOutput:

      // attributes without values are possible, e.g.' disabled'
      if (value != null)
      {
      response.write("=\"");
      value = Strings.replaceAll(value, "&", "&"); // <--- added
      value = Strings.replaceAll(value, "\"", """);
      value = Strings.replaceAll(value, "\'", "'"); // <----- added
      value = Strings.replaceAll(value, "<", "<"); // <----- added
      value = Strings.replaceAll(value, ">", ">"); // <----- added
      response.write(value);
      response.write("\"");
      }

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            mgrigorov Martin Tzvetanov Grigorov
            rgevaerd Rodrigo Faria
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Issue deployment