[Yanel-dev] Jelly and escaping XML within the "usecase"
resource-type
Guillaume Déflache
guillaume.deflache at wyona.com
Thu May 7 09:34:53 CEST 2009
Hi!
The problem is as follows: the "usecase" resource-type currently does
not escape XML properly, see
http://bugzilla.wyona.com/cgi-bin/bugzilla/show_bug.cgi?id=5964
Applying the patch proposed there breaks backward compatibility, and
fixing all uses manually is no longer an option because of too much uses
already.
The only workaround I found for now to e.g. escape
${item.getDescription()} (for the case when an item's description may
contain '&' characters for example) is rather lengthy:
<j:invokeStatic className="org.wyona.yanel.servlet.YanelServlet"
method="encodeXML" var="itemDescription"><j:arg type="java.lang.String"
value="${item.getDescription()}"/></j:invokeStatic>${itemDescription}
[ Note that other methods doing this XML escaping work may exist in the
Yanel codebase (but oddly enough not in commons where it would IMHO make
the most sense unfortunately), and I found many other instances in the
project I am currently working on :/ ]
I tried to fiddle with the "escapeText" attribute on both "core:jelly"
and "core:scope" (for local workarounds) elements, but I could not get
it to do anything useful... or anything at all for that matter, so maybe
I entirely missed the point of that attribute...
IMHO a real solution could be not to introduce another non-misbehaving
resource-type, but only a new "jelly-XML" view-type alongside the
already-existing "jelly" one.
Then to fix encoding problems one would only need to switch from "jelly"
to "jelly-XML" type in *.rc files and audit the related Jelly code to
see if it really needs some XML to be included verbatim/non-escaped.
The proposed solution should be backward-compatible and would only need
changes in org.wyona.yanel.impl.resources.xml.ConfigurableViewDescriptor
and org.wyona.yanel.impl.resources.usecase.UsecaseResource AFAICS.
However I am still unsure if we should deprecate the "jelly" type itself
(to make people aware they need to check for escaping issues) and
introduced yet another "jelly-text" type allowing to state explicitely
that XML escaping is known to be unneeded, or leave the "jelly" type alone.
What we might be able to do is check in the "usecase" RT whether the
Jelly output is really used as XML in the rest of the "pipeline", e.g.
as input for an XSLT or serialized as XML or (X)HTML (is it always the
case?) and only then warn that not-escaping XML might cause problems.
WDYT?
Cheers,
Guillaume
More information about the Yanel-development
mailing list