Mantis Bugtracker
  

Viewing Issue Advanced Details Jump to Notes ] View Simple ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0003976 [Resin] minor always 03-31-10 12:52 04-02-10 12:19
Reporter ferg View Status public  
Assigned To ferg
Priority normal Resolution fixed Platform
Status closed   OS
Projection none   OS Version
ETA none Fixed in Version 4.0.6 Product Version
  Product Build
Summary 0003976: jsp:param behavior change in 4.0.5
Description (rep by Aaron Freeman)

We are experiencing a fundamental change in how data is being passed as
a jsp:param between 3.0.22 and 4.0.5. We need to know if this change is
intentional as it has a work-heavy impact on converting our code base
over which currently relies on the behavior of 3.0.x.

It appears that a call to jsp:include was automatically URL decoding any
strings that were passed in, and that that behavior has changed.

I have included source to two files that will demonstrate the behavior
change (in case it's not intentional). And here are the results of
running it:

---- on resin-pro-3.0.22 ----

URL encoded before pass to jsp:include:
Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26.

Test: 1 < 2 and width="100ďand ampersand=
Here it is as seen inside of test-process.jsp:
Test: 1 < 2 and width="100%" and ampersand=&.


---- on resin-pro-4.0.5 ----

URL encoded before pass to jsp:include:
Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26.

Test: 1 < 2 and width="100ďand ampersand=
Here it is as seen inside of test-process.jsp:
Test:+1+<+2+and+width="100%"+and+ampersand=&.



<%----- BEGIN test.jsp -----%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" [^] prefix="c" %>
<%@ taglib uri="http://www.sendthisfile.com/taglib/httputil" [^]
prefix="httputil" %>

<c:if test="${!empty param.textarea}">
     textarea param exists:

     ${param.textarea}



<c:set var="textareaUrlEncodedBefore"
value="${httputil:urlEncode(param.textarea)}"/>
     URL encoded before pass to jsp:include:

     ${textareaUrlEncodedBefore}


</c:if>

<%-- Set some requestscope variable in test.jsp --%>
<jsp:include page="/test-process.jsp">
<jsp:param name="textarea" value="${param.textarea}"/>
<jsp:param name="textareaUrlEncoded" value="${textareaUrlEncodedBefore}"/>
</jsp:include>

<form action="/test.jsp">

<textarea name="textarea">${requestScope.processedTextarea}</textarea>

<input type="submit"></input>

</form>

<c:if test="${!empty requestScope.urlEncoded}">
     Here it is as seen inside of test-process.jsp:

     ${requestScope.urlEncoded}
</c:if>
<%----- END test.jsp -----%>


<%----- BEGIN test-process.jsp -----%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" [^] prefix="c" %>

<c:choose>

<c:when test="${empty param.textarea}">
<c:set var="processedTextarea" scope="request">Test: 1 < 2 and
width="100%" and ampersand=&.</c:set>
</c:when>

<c:otherwise>
<c:set var="processedTextarea" scope="request">${param.textarea}</c:set>
</c:otherwise>

</c:choose>

<c:set var="urlEncoded" scope="request">${param.textareaUrlEncoded}</c:set>
<%----- END test-process.jsp -----%>


Thanks for your thoughts on this,
Steps To Reproduce
Additional Information
Attached Files

- Relationships

- Notes
(0004515)
ferg
04-02-10 12:19

jsp/15n3

Even with the fix, though, Resin is responsible for any encoding, not the application. So it's incorrect to escape the content before sending it to Resin.
 

- Issue History
Date Modified Username Field Change
03-31-10 12:52 ferg New Issue
04-02-10 12:19 ferg Note Added: 0004515
04-02-10 12:19 ferg Assigned To  => ferg
04-02-10 12:19 ferg Status new => closed
04-02-10 12:19 ferg Resolution open => fixed
04-02-10 12:19 ferg Fixed in Version  => 4.0.6


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
28 total queries executed.
25 unique queries executed.
Powered by Mantis Bugtracker