Bug 783567

Summary: tag attributes parsing throws jasper exception when EL is not allowed in certain cases
Product: Red Hat Enterprise Linux 6 Reporter: David Mansfield <bugzilla>
Component: tomcat6Assignee: David Knox <dknox>
Status: CLOSED ERRATA QA Contact: tomcat-qe
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: jclere, jdennis, jpechane, mhasko
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tomcat6-6.0.24-44.el6 Doc Type: Bug Fix
Doc Text:
JSP parsing utilizes the directive attribute 'deferredSyntaxAllowedAsLiteral' which determines if deferred statements are treated as literals. The default is false. If true, '#' will not be treated as an escape.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 14:35:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Mansfield 2012-01-20 20:47:42 UTC 
Description of problem:
When a jsp tag that does not allow EL expression values (such as struts 2 tags) is used, and one of the attributes is passed a certain value (such as a backslash), the parser throws an exception of the form 

According to TLD or attribute directive in tag file, attribute value does not accept any expressions

This is a fixed uptream "major" bug described as a "nasty regression".  See:

https://issues.apache.org/bugzilla/show_bug.cgi?id=48627


Version-Release number of selected component (if applicable):
tomcat6-6.0.24-35.el6.noarch

How reproducible:
Always.

Steps to Reproduce:
1. pass an attribute value containing a backslash to a tag defined to not accept EL expressions.
2.
3.
  
Actual results:
Jaspaer exception, JSP not compiled, webapp dies.

Expected results:
Works.

Additional info:
Fixed upstream.
Comment 3 David Knox 2012-05-01 21:27:49 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No tech notes needed.
Comment 4 Michal Haško 2012-05-11 13:59:04 UTC 
Do we have a reproducer for this bug? It would help a lot, I was trying to come up with a reproducer from the upstream bug, without much success so far.
Comment 5 David Mansfield 2012-05-11 14:35:40 UTC 
using struts 2, i had this tag in the jsp:

<s:property value="myString.replaceAll('\\n','<br>')" escape="false" />

And got the error.

As a workaround, I downloaded the AttributeParser.class and Parser.class from the upstream bug report and put them in /usr/share/java/tomcat6/org/apache/jasper/compiler and it fixed the problem for the time being.

The important part of the tag def. is the       <rtexprvalue>false</rtexprvalue>.  Here is the complete def. from the tld:

Tag is defined in tld as

  <tag>
    <description><![CDATA[Print out expression which evaluates against the stack]]></description>
    <name>property</name>
    <tag-class>org.apache.struts2.views.jsp.PropertyTag</tag-class>
    <body-content>empty</body-content>
    <attribute>
      <description><![CDATA[The default value to be used if <u>value</u> attribute is null]]></description>
      <name>default</name>
      <required>false</required>
      <rtexprvalue>false</rtexprvalue>
    </attribute>
    <attribute>
      <description><![CDATA[Deprecated. Use 'escapeHtml'. Whether to escape HTML]]></description>
      <name>escape</name>
      <required>false</required>
      <rtexprvalue>false</rtexprvalue>
    </attribute>
    <attribute>
      <description><![CDATA[Whether to escape CSV (useful to escape a value for a column)]]></description>
      <name>escapeCsv</name>
      <required>false</required>
      <rtexprvalue>false</rtexprvalue>
    </attribute>
    <attribute>
      <description><![CDATA[Whether to escape HTML]]></description>
      <name>escapeHtml</name>
      <required>false</required>
      <rtexprvalue>false</rtexprvalue>
    </attribute>
    <attribute>
      <description><![CDATA[Whether to escape Javascript]]></description>
      <name>escapeJavaScript</name>
      <required>false</required>
      <rtexprvalue>false</rtexprvalue>
    </attribute>
    <attribute>
      <description><![CDATA[Whether to escape XML]]></description>
      <name>escapeXml</name>
      <required>false</required>
      <rtexprvalue>false</rtexprvalue>
    </attribute>
    <attribute>
      <description><![CDATA[Value to be displayed]]></description>
      <name>value</name>
      <required>false</required>
      <rtexprvalue>false</rtexprvalue>
    </attribute>
    <dynamic-attributes>false</dynamic-attributes>
  </tag>
Comment 6 David Knox 2012-05-29 17:05:55 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-No tech notes needed.+JSP parsing utilizes the directive attribute 'deferredSyntaxAllowedAsLiteral' which determines if deferred statements are treated as literals. The default is false. If true, '#' will not be treated as an escape.
Comment 9 errata-xmlrpc 2012-06-20 14:35:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0945.html