Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-642

Need to escape select html option value

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.2.4, 1.2.5, 1.2.6, 1.3.0-beta1
    • Fix Version/s: 1.2.7, 1.3.0-rc1
    • Component/s: wicket
    • Labels:
      None
    • Environment:
      Any OS , tomcat server

      Description

      Versions affectec : My version of wicket is 1.2.4 .However it is present even in the trunk as well.

      Currently if option value contains double quotes in a dropdown choice,
      the value got on the server side is empty string.

      The method appendOptionHtml of AbstactChoice class does not
      escape markup for option values as it does for display values.

        Activity

        Hide
        dashorst Martijn Dashorst added a comment -

        I wasn't whining, just wondering if it were a great idea to patch it on 1.2.x too. Fortunately you took it that way, and implemented it. Now the 1.2.7 guys have this too (however, that is one reason less to move to 1.3, which is not so great)

        but THANKS!

        Show
        dashorst Martijn Dashorst added a comment - I wasn't whining, just wondering if it were a great idea to patch it on 1.2.x too. Fortunately you took it that way, and implemented it. Now the 1.2.7 guys have this too (however, that is one reason less to move to 1.3, which is not so great) but THANKS!
        Hide
        jcompagner Johan Compagner added a comment -

        you whiner.
        done.

        Show
        jcompagner Johan Compagner added a comment - you whiner. done.
        Hide
        dashorst Martijn Dashorst added a comment -

        Should we fix this also in 1.2.x?

        Show
        dashorst Martijn Dashorst added a comment - Should we fix this also in 1.2.x?
        Hide
        jcompagner Johan Compagner added a comment -

        call also escapeMarkup for the option value

        Show
        jcompagner Johan Compagner added a comment - call also escapeMarkup for the option value
        Hide
        ehillenius Eelco Hillenius added a comment -

        Assigned version (beta 4)

        Show
        ehillenius Eelco Hillenius added a comment - Assigned version (beta 4)
        Hide
        jdonnerstag Juergen Donnerstag added a comment -

        I tend to agree that all data put into the markup output by Wicket should be HTML escaped by default. I would change ChoiceRenderer.getIdValue() to escape the return value. But I guess it is Johan who knows more about than I do.

        Juergen

        Show
        jdonnerstag Juergen Donnerstag added a comment - I tend to agree that all data put into the markup output by Wicket should be HTML escaped by default. I would change ChoiceRenderer.getIdValue() to escape the return value. But I guess it is Johan who knows more about than I do. Juergen

          People

          • Assignee:
            jcompagner Johan Compagner
            Reporter:
            sbelur swaroop belur
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development