0003976: jsp:param behavior change in 4.0.5

Viewing Issue Advanced Details [ Jump to Notes ]

[ View Simple ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0003976

[Resin]

minor

always

03-01-10 12:52

04-02-10 12:19

Reporter

ferg

View Status

public

Assigned To

ferg

Priority

normal

Resolution

fixed

Platform

Status

closed

Projection

none

OS Version

ETA

none

Fixed in Version

4.0.6

Product Version

Product Build

Summary

0003976: jsp:param behavior change in 4.0.5

Description

(rep by Aaron Freeman)

We are experiencing a fundamental change in how data is being passed as
a jsp:param between 3.0.22 and 4.0.5. We need to know if this change is
intentional as it has a work-heavy impact on converting our code base
over which currently relies on the behavior of 3.0.x.

It appears that a call to jsp:include was automatically URL decoding any
strings that were passed in, and that that behavior has changed.

I have included source to two files that will demonstrate the behavior
change (in case it's not intentional). And here are the results of
running it:

---- on resin-pro-3.0.22 ----

URL encoded before pass to jsp:include:
Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26.

Test: 1 < 2 and width="100ïand ampersand=
Here it is as seen inside of test-process.jsp:
Test: 1 < 2 and width="100%" and ampersand=&.

---- on resin-pro-4.0.5 ----

URL encoded before pass to jsp:include:
Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26.

Test: 1 < 2 and width="100ïand ampersand=
Here it is as seen inside of test-process.jsp:
Test:+1+<+2+and+width="100%"+and+ampersand=&.

<%----- BEGIN test.jsp -----%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" [^] prefix="c" %>
<%@ taglib uri="http://www.sendthisfile.com/taglib/httputil" [^]
prefix="httputil" %>

<c:if test="${!empty param.textarea}">
     textarea param exists:

     ${param.textarea}

<c:set var="textareaUrlEncodedBefore"
value="${httputil:urlEncode(param.textarea)}"/>
     URL encoded before pass to jsp:include:

     ${textareaUrlEncodedBefore}

</c:if>

<%-- Set some requestscope variable in test.jsp --%>
<jsp:include page="/test-process.jsp">
<jsp:param name="textarea" value="${param.textarea}"/>
<jsp:param name="textareaUrlEncoded" value="${textareaUrlEncodedBefore}"/>
</jsp:include>

<form action="/test.jsp">

<textarea name="textarea">${requestScope.processedTextarea}</textarea>

<input type="submit"></input>

</form>

<c:if test="${!empty requestScope.urlEncoded}">
     Here it is as seen inside of test-process.jsp:

     ${requestScope.urlEncoded}
</c:if>
<%----- END test.jsp -----%>

<%----- BEGIN test-process.jsp -----%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" [^] prefix="c" %>

<c:choose>

<c:when test="${empty param.textarea}">
<c:set var="processedTextarea" scope="request">Test: 1 < 2 and
width="100%" and ampersand=&.</c:set>
</c:when>

<c:otherwise>
<c:set var="processedTextarea" scope="request">${param.textarea}</c:set>
</c:otherwise>

</c:choose>

<c:set var="urlEncoded" scope="request">${param.textareaUrlEncoded}</c:set>
<%----- END test-process.jsp -----%>

Thanks for your thoughts on this,

Steps To Reproduce

Additional Information

Attached Files

Relationships

Notes
(0004515) ferg 04-02-10 12:19	jsp/15n3 Even with the fix, though, Resin is responsible for any encoding, not the application. So it's incorrect to escape the content before sending it to Resin.

Issue History
Date Modified	Username	Field	Change
03-01-10 12:52	ferg	New Issue
04-02-10 12:19	ferg	Note Added: 0004515
04-02-10 12:19	ferg	Assigned To	=> ferg
04-02-10 12:19	ferg	Status	new => closed
04-02-10 12:19	ferg	Resolution	open => fixed
04-02-10 12:19	ferg	Fixed in Version	=> 4.0.6

Mantis 1.0.0rc3[^]

28 total queries executed.
25 unique queries executed.