Mantis Bugtracker
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0003976 [Resin] minor always 03-03-10 12:52 04-02-10 12:19
Reporter ferg View Status public  
Assigned To ferg
Priority normal Resolution fixed  
Status closed   Product Version
Summary 0003976: jsp:param behavior change in 4.0.5
Description (rep by Aaron Freeman)

We are experiencing a fundamental change in how data is being passed as
a jsp:param between 3.0.22 and 4.0.5. We need to know if this change is
intentional as it has a work-heavy impact on converting our code base
over which currently relies on the behavior of 3.0.x.

It appears that a call to jsp:include was automatically URL decoding any
strings that were passed in, and that that behavior has changed.

I have included source to two files that will demonstrate the behavior
change (in case it's not intentional). And here are the results of
running it:

---- on resin-pro-3.0.22 ----

URL encoded before pass to jsp:include:
Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26.

Test: 1 < 2 and width="100ďand ampersand=
Here it is as seen inside of test-process.jsp:
Test: 1 < 2 and width="100%" and ampersand=&.


---- on resin-pro-4.0.5 ----

URL encoded before pass to jsp:include:
Test%3A+1+%3C+2+and+width%3D%22100%25%22+and+ampersand%3D%26.

Test: 1 < 2 and width="100ďand ampersand=
Here it is as seen inside of test-process.jsp:
Test:+1+<+2+and+width="100%"+and+ampersand=&.



<%----- BEGIN test.jsp -----%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" [^] prefix="c" %>
<%@ taglib uri="http://www.sendthisfile.com/taglib/httputil" [^]
prefix="httputil" %>

<c:if test="${!empty param.textarea}">
     textarea param exists:

     ${param.textarea}



<c:set var="textareaUrlEncodedBefore"
value="${httputil:urlEncode(param.textarea)}"/>
     URL encoded before pass to jsp:include:

     ${textareaUrlEncodedBefore}


</c:if>

<%-- Set some requestscope variable in test.jsp --%>
<jsp:include page="/test-process.jsp">
<jsp:param name="textarea" value="${param.textarea}"/>
<jsp:param name="textareaUrlEncoded" value="${textareaUrlEncodedBefore}"/>
</jsp:include>

<form action="/test.jsp">

<textarea name="textarea">${requestScope.processedTextarea}</textarea>

<input type="submit"></input>

</form>

<c:if test="${!empty requestScope.urlEncoded}">
     Here it is as seen inside of test-process.jsp:

     ${requestScope.urlEncoded}
</c:if>
<%----- END test.jsp -----%>


<%----- BEGIN test-process.jsp -----%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" [^] prefix="c" %>

<c:choose>

<c:when test="${empty param.textarea}">
<c:set var="processedTextarea" scope="request">Test: 1 < 2 and
width="100%" and ampersand=&.</c:set>
</c:when>

<c:otherwise>
<c:set var="processedTextarea" scope="request">${param.textarea}</c:set>
</c:otherwise>

</c:choose>

<c:set var="urlEncoded" scope="request">${param.textareaUrlEncoded}</c:set>
<%----- END test-process.jsp -----%>


Thanks for your thoughts on this,
Additional Information
Attached Files

- Relationships

- Notes
(0004515)
ferg
04-02-10 12:19

jsp/15n3

Even with the fix, though, Resin is responsible for any encoding, not the application. So it's incorrect to escape the content before sending it to Resin.
 

- Issue History
Date Modified Username Field Change
03-03-10 12:52 ferg New Issue
04-02-10 12:19 ferg Note Added: 0004515
04-02-10 12:19 ferg Assigned To  => ferg
04-02-10 12:19 ferg Status new => closed
04-02-10 12:19 ferg Resolution open => fixed
04-02-10 12:19 ferg Fixed in Version  => 4.0.6


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
28 total queries executed.
25 unique queries executed.
Powered by Mantis Bugtracker