From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Fri, 16 May 2008 22:28:09 +0000 (+0000)
Subject: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45015
X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=84936521ea32f29e98a75949cdefb1ce5b09939d;p=tomcat7.0

Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45015
You can't use an unescaped quote in an attribute value if you have quoted the value using that quote character

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@657231 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/java/org/apache/jasper/compiler/Parser.java b/java/org/apache/jasper/compiler/Parser.java
index 765a73a9a..84a05a5ea 100644
--- a/java/org/apache/jasper/compiler/Parser.java
+++ b/java/org/apache/jasper/compiler/Parser.java
@@ -244,7 +244,8 @@ class Parser implements TagConstants {
             err.jspError(start, "jsp.error.attribute.unterminated", watch);
         }
 
-        String ret = parseQuoted(reader.getText(start, stop));
+        String ret = parseQuoted(start, reader.getText(start, stop),
+                watch.charAt(watch.length() - 1));
         if (watch.length() == 1) // quote
             return ret;
 
@@ -257,7 +258,8 @@ class Parser implements TagConstants {
      * QuotedChar ::= '&apos;' | '&quot;' | '\\' | '\"' | "\'" | '\>' | '\$' |
      * Char
      */
-    private String parseQuoted(String tx) {
+    private String parseQuoted(Mark start, String tx, char quote)
+            throws JasperException {
         StringBuffer buf = new StringBuffer();
         int size = tx.length();
         int i = 0;
@@ -291,6 +293,10 @@ class Parser implements TagConstants {
                     buf.append('\\');
                     ++i;
                 }
+            } else if (ch == quote) {
+                // Unescaped quote character
+                err.jspError(start, "jsp.error.attribute.noescape", tx,
+                        "" + quote);
             } else {
                 buf.append(ch);
                 ++i;
diff --git a/java/org/apache/jasper/resources/LocalStrings.properties b/java/org/apache/jasper/resources/LocalStrings.properties
index 9cdba8867..f5ab6ffe4 100644
--- a/java/org/apache/jasper/resources/LocalStrings.properties
+++ b/java/org/apache/jasper/resources/LocalStrings.properties
@@ -341,6 +341,7 @@ jsp.error.nomatching.fragment=Cannot find an attribute directive (with name={0}
 jsp.error.attribute.noequal=equal symbol expected
 jsp.error.attribute.noquote=quote symbol expected
 jsp.error.attribute.unterminated=attribute for {0} is not properly terminated
+jsp.error.attribute.noescape=Attribute value {0} is quoted with {1} which must be escaped when used within the value
 jsp.error.missing.tagInfo=TagInfo object for {0} is missing from TLD
 jsp.error.deferredmethodsignaturewithoutdeferredmethod=Cannot specify a method signature if 'deferredMethod' is not 'true'
 jsp.error.deferredvaluetypewithoutdeferredvalue=Cannot specify a value type if 'deferredValue' is not 'true'