Details
Trivial Description
In WICKET-741, the double quote character was escaped. But the characters: ' (single quote) and & (ampersand) are not escaped.
With & not escaped, if it is included in an attribute value, the result is not XML compliant and XHTML validations marks it as an error.
With ' not escaped, if single quote is used instead of double quote as in:
<tag attribute='value'/>
The result will be broken just as double quote was before WICKET-741.
I'm not sure if < and > characters should also be escaped. Some validators/parsers allow them, but some other mark them as errors. I would also replace them.
I suggest adding the lines marked below to ComponentTag.writeOutput:
—
// attributes without values are possible, e.g.' disabled'
if (value != null)
{
response.write("=\"");
value = Strings.replaceAll(value, "&", "&"); // <--- added
value = Strings.replaceAll(value, "\"", """);
value = Strings.replaceAll(value, "\'", "'"); // <----- added
value = Strings.replaceAll(value, "<", "<"); // <----- added
value = Strings.replaceAll(value, ">", ">"); // <----- added
response.write(value);
response.write("\"");
}
—
Attachments
Attachments
Issue Links
- breaks
-
WICKET-3608 input button escapes escaped value
-
- Resolved
-
- relates to
-
WICKET-5242 Disable escaping of html tag attributes
-
- Closed
-