ICEfaces
  1. ICEfaces
  2. ICE-5742

Escape CDATA end marker for partial response

          Details

          • Type: Bug Bug
          • Status: Closed
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: 2.0-Alpha2
          • Fix Version/s: 2.0-Alpha3, 2.0.0
          • Component/s: Framework
          • Labels:
            None
          • Environment:
            ICEfaces 2.0

            Description


            If a component writes out a CDATA section, the end marker "]]>" can prematurely end the CDATA section in use by a partial response.

            For instance, this is the case with the ui:debug:

            <script language="javascript" type="text/javascript">
            //<![CDATA[
            function faceletsDebug(URL) { day = new Date(); id = day.getTime(); eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=800,height=600,left = 240,top = 212');"); };var faceletsOrigKeyup = document.onkeyup; document.onkeyup = function(e) { if (window.event) e = window.event; if (String.fromCharCode(e.keyCode) == 'P' & e.shiftKey & e.ctrlKey) faceletsDebug('/basic/icefaces.jsf?facelets.ui.DebugOutput=1274286830705'); else if (faceletsOrigKeyup) faceletsOrigKeyup(e); };
            //]]>
            </script>

            -------------
            <script language="javascript" type="text/javascript">
            //<![CDATA[
            function faceletsDebug(URL) { day = new Date(); id = day.getTime(); eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=800,height=600,left = 240,top = 212');"); };var faceletsOrigKeyup = document.onkeyup; document.onkeyup = function(e) { if (window.event) e = window.event; if (String.fromCharCode(e.keyCode) == 'P' & e.shiftKey & e.ctrlKey) faceletsDebug('/basic/icefaces.jsf?facelets.ui.DebugOutput=1274286830705'); else if (faceletsOrigKeyup) faceletsOrigKeyup(e); };
            //]]>]]&gt;<![CDATA[
            </script>

            The desired output for the script contents is also shown. Note that the unescaped " ]]>" should appear literally during the initial full page response.

            It would be more efficient to have the component initially escape its output so that it was valid both inside and outside of a CDATA section (for instance, simply escape any <, > characters in the script rather than use CDATA) since this single escaped form could be used by all instances throughout the application (for all users and successive renderings of the page), but it is always possible for a component to write "]]>" so this must be guarded against. It may be useful to provide a mode where ]]> can be turned off for applications that are known not to output this sequence.

              Activity

              Hide
              Permalink
              Ted Goddard added a comment -

              Verified for ui:debug.

              Show
              Ted Goddard added a comment - Verified for ui:debug.

                People

                • Assignee:
                  Ted Goddard
                  Reporter:
                  Ted Goddard
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: