[Yanel-dev] Jelly and escaping XML within the "usecase" resource-type

Guillaume Déflache guillaume.deflache at wyona.com
Thu May 7 09:34:53 CEST 2009


Hi!

The problem is as follows: the "usecase" resource-type currently does 
not escape XML properly, see
http://bugzilla.wyona.com/cgi-bin/bugzilla/show_bug.cgi?id=5964
Applying the patch proposed there breaks backward compatibility, and 
fixing all uses manually is no longer an option because of too much uses 
already.


The only workaround I found for now to e.g. escape 
${item.getDescription()} (for the case when an item's description may 
contain '&' characters for example) is rather lengthy:
<j:invokeStatic className="org.wyona.yanel.servlet.YanelServlet"
method="encodeXML" var="itemDescription"><j:arg type="java.lang.String"
value="${item.getDescription()}"/></j:invokeStatic>${itemDescription}
[ Note that other methods doing this XML escaping work may exist in the 
Yanel codebase (but oddly enough not in commons where it would IMHO make 
the most sense unfortunately), and I found many other instances in the 
project I am currently working on :/ ]

I tried to fiddle with the "escapeText" attribute on both "core:jelly" 
and "core:scope" (for local workarounds) elements, but I could not get 
it to do anything useful... or anything at all for that matter, so maybe 
I entirely missed the point of that attribute...


IMHO a real solution could be not to introduce another non-misbehaving 
resource-type, but only a new "jelly-XML" view-type alongside the 
already-existing "jelly" one.
Then to fix encoding problems one would only need to switch from "jelly" 
to "jelly-XML" type in *.rc files and audit the related Jelly code to 
see if it really needs some XML to be included verbatim/non-escaped.

The proposed solution should be backward-compatible and would only need 
changes in org.wyona.yanel.impl.resources.xml.ConfigurableViewDescriptor 
and org.wyona.yanel.impl.resources.usecase.UsecaseResource AFAICS.

However I am still unsure if we should deprecate the "jelly" type itself 
(to make people aware they need to check for escaping issues) and 
introduced yet another "jelly-text" type allowing to state explicitely 
that XML escaping is known to be unneeded, or leave the "jelly" type alone.
What we might be able to do is check in the "usecase" RT whether the 
Jelly output is really used as XML in the rest of the "pipeline", e.g. 
as input for an XSLT or serialized as XML or (X)HTML (is it always the 
case?) and only then warn that not-escaping XML might cause problems.


WDYT?


Cheers,
    Guillaume


More information about the Yanel-development mailing list