https://issues.apache.org/bugzilla/show_bug.cgi?id=55198
--- Comment #5 from Konstantin Kolinko <knst.koli...@gmail.com> --- For the record, the change in 7.0.43 for this bug is r1500065 It changed how EL output is escaped in tag attributes - see bug 55735. I think this change in EL escaping was an inadvertent one, as the original issue is about static content. It did not say about escaping of EL output. As this issue is an older one, I will comment on the specification here. 1. Reading the JSP specification JSP 2.3 (JSP2.3MR.pdf) chapter JSP.6.3.9 "Template Content" says how static content shall be rendered: It says about XML fragments that "The interpretation of such an XML element is to pass its textual representation to the current value of out, after the whitespace processing described in Section JSP.6.2.3." Testing this feature, I see an odd behaviour. A simple example would be a JSPX page like this: [[[ <jsp:root version="2.0" xmlns:jsp="http://java.sun.com/JSP/Page";> <jsp:directive.page contentType="text/plain" /> <foo bar="<HH>" baz=""JJ"" foo="&"> <LL> </foo> </jsp:root> ]]] I expect it to render <HH>, "JJ", & and <LL>, as that is a textual representation of the above XML, but in all 7.0.47, 7.0.42 and 6.0.37 it renders: foo="&" baz=""JJ"" bar="<HH>" and <LL> Somehow only the quotes are rendered correctly. 2. It would be nice to expand what is written in JSP.6.2.3. to the EL expressions in those XML fragments, so that Tomcat renders well-formed XML, but it is likely that such an interpretation is wrong. If I do such expansion, I would say that - ELs in attributes of tags in XML fragments have to have their text content escaped - ELs in tag bodies of tags in XML fragments have to have their text content escaped - ELs in the body of <jsp:text/> elements shall be rendered as is, without escaping. As per JSP.6.2.3 <jsp:text/> generates arbitrary content. - ELs in <![CDATA[...]]> blocks: The easy way is to render the content of CDATA blocks as text. In this case the usual escaping rules apply. (If CDATA were rendered CDATA as CDATA, the usual escaping rules do not apply, but one would have to beware of ']]>' in EL output). It would be nice to interpret the specification this way and throw away a number of escapeXml calls, but it is likely that such an interpretation is wrong. With r1500065 the ELs in attributes of tags in XML fragments are now escaped automatically. My own example is that the code like this in JSPX files <a href="${fn:escapeXml(url)}">...</a> now produces URLs that are escaped twice, with &amp;s. This is the issue reported in bug 55735. This change has not changed how ELs are handled in tag bodies. Only attributes were affected. Looking at textRotate.jspx in the Tomcat examples web application, it does not expect that ${name} expression were escaped automatically. It explicitly calls escapeXml(). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
