EG confirmed that attribute values should be fully escaped, including any EL. Note...

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@702587 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/jasper/compiler/Parser.java b/java/org/apache/jasper/compiler/Parser.java
index 0f1a394..9cc9790 100644 (file)
--- a/java/org/apache/jasper/compiler/Parser.java
+++ b/java/org/apache/jasper/compiler/Parser.java
@@ -265,7 +265,6 @@ class Parser implements TagConstants {
     private String parseQuoted(Mark start, String tx, char quote)
             throws JasperException {
         StringBuffer buf = new StringBuffer();
-        boolean possibleEL = tx.contains("${");
         int size = tx.length();
         int i = 0;
         while (i < size) {
@@ -287,20 +286,10 @@ class Parser implements TagConstants {
                 }
             } else if (ch == '\\' && i + 1 < size) {
                 ch = tx.charAt(i + 1);
-                if (ch == '\\' || ch == '\"' || ch == '\'') {
-                    if (pageInfo.isELIgnored() || !possibleEL) {
-                        // EL is not enabled or no chance of EL
-                        // Unescape these now
-                        buf.append(ch);
-                        i += 2;
-                    } else {
-                        // EL is enabled and ${ appears in value
-                        // EL processing will escape these
-                        buf.append('\\');
-                        buf.append(ch);
-                        i += 2;
-                    }
-                } else if (ch == '>') {
+                if (ch == '\\' || ch == '\"' || ch == '\'' || (ch == '>')) {
+                    // \ " and ' are always unescaped regardless of if they are
+                    // or outside of an EL expression. JSP.1.6 takes precedence
+                    // over JSP.1.3.10 (confirmed with EG)
                     buf.append(ch);
                     i += 2;
                 } else {