Here's a follow up on the escaping problem
attached mail follows:
Huh. I couldn't find this sort of thing anywhere in the HTML spec,
and my interpretation of the XML spec leads me to exactly the
*opposite* conclusion, that '>' need not be escaped, and '<' MUST be.
They didn't really need to special-case it either way because the
spec should treat > and > equivalently anyway, same for any entity.
That this doesn't happen when using JSP makes me wonder if those
HtmlUtils methods are even getting called when JSP-based views are
used.
Thanks very much for digging into this, and feel free to relay my
observation to the jsf dev folks, maybe give a mention on issues@ or
users@ if you hear back from them? This problem drove me crazy last
week. I can patch a fix in my project running on tomcat, but
glassfish stuffs all of this into javaee.jar ... sigh.
>>From http://www.w3.org/TR/REC-xml/
-----------------------
[10] AttValue ::= '"' ([^<&"] | Reference)* '"'
| "'" ([^<&'] | Reference)* "'"
...
The ampersand character (&) and the left angle bracket (<) MUST NOT
appear in their literal form, except when used as markup delimiters,
or within a comment, a processing instruction, or a CDATA section. If
they are needed elsewhere, they MUST be escaped using either numeric
character references or the strings " & " and " < "
respectively. The right angle bracket (>) may be represented using the
string " > ", and MUST, for compatibility, be escaped using either
" > " or a character reference when it appears in the string " ]]>
" in content, when that string is not marking the end of a CDATA
section.
In the content of elements, character data is any string of characters
which does not contain the start-delimiter of any markup and does not
include the CDATA-section-close delimiter, " ]]> ". In a CDATA
section, character data is any string of characters not including the
CDATA-section-close delimiter, " ]]> ".
To allow attribute values to contain both single and double quotes,
the apostrophe or single-quote character (') may be represented as "
' ", and the double-quote character (") as " " ".
Character Data
[14] CharData ::= [^<&]* - ([^<&]* ']]>' [^<&]*)
-----------------------
On 23 Sep 2006 23:47:55 -0000, jhook_at_dev.java.net <jhook_at_dev.java.net> wrote:
> https://facelets.dev.java.net/issues/show_bug.cgi?id=164
>
>
>
> User jhook changed the following:
>
> What |Old value |New value
> ================================================================================
> Status|NEW |RESOLVED
> --------------------------------------------------------------------------------
> Resolution| |WONTFIX
> --------------------------------------------------------------------------------
>
>
>
>
> ------- Additional comments from jhook_at_dev.java.net Sat Sep 23 23:47:55 +0000 2006 -------
> The culprit is in the RI's HtmlUtils class on lines 231-234:
>
> // Note - "<" isn't escaped in attributes, as per
> // HTML spec
> } else if (ch == '>') {
> buffIndex = flushBuffer(out, buff, buffIndex);
> out.write(">");
> } ...
>
> I'm going to follow up with the RI dev team to see why this odd condition exists
> and the desired work around given your use case.
>