Hide Forgot
Description of problem: When a jsp tag that does not allow EL expression values (such as struts 2 tags) is used, and one of the attributes is passed a certain value (such as a backslash), the parser throws an exception of the form According to TLD or attribute directive in tag file, attribute value does not accept any expressions This is a fixed uptream "major" bug described as a "nasty regression". See: https://issues.apache.org/bugzilla/show_bug.cgi?id=48627 Version-Release number of selected component (if applicable): tomcat6-6.0.24-35.el6.noarch How reproducible: Always. Steps to Reproduce: 1. pass an attribute value containing a backslash to a tag defined to not accept EL expressions. 2. 3. Actual results: Jaspaer exception, JSP not compiled, webapp dies. Expected results: Works. Additional info: Fixed upstream.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No tech notes needed.
Do we have a reproducer for this bug? It would help a lot, I was trying to come up with a reproducer from the upstream bug, without much success so far.
using struts 2, i had this tag in the jsp: <s:property value="myString.replaceAll('\\n','<br>')" escape="false" /> And got the error. As a workaround, I downloaded the AttributeParser.class and Parser.class from the upstream bug report and put them in /usr/share/java/tomcat6/org/apache/jasper/compiler and it fixed the problem for the time being. The important part of the tag def. is the <rtexprvalue>false</rtexprvalue>. Here is the complete def. from the tld: Tag is defined in tld as <tag> <description><![CDATA[Print out expression which evaluates against the stack]]></description> <name>property</name> <tag-class>org.apache.struts2.views.jsp.PropertyTag</tag-class> <body-content>empty</body-content> <attribute> <description><![CDATA[The default value to be used if <u>value</u> attribute is null]]></description> <name>default</name> <required>false</required> <rtexprvalue>false</rtexprvalue> </attribute> <attribute> <description><![CDATA[Deprecated. Use 'escapeHtml'. Whether to escape HTML]]></description> <name>escape</name> <required>false</required> <rtexprvalue>false</rtexprvalue> </attribute> <attribute> <description><![CDATA[Whether to escape CSV (useful to escape a value for a column)]]></description> <name>escapeCsv</name> <required>false</required> <rtexprvalue>false</rtexprvalue> </attribute> <attribute> <description><![CDATA[Whether to escape HTML]]></description> <name>escapeHtml</name> <required>false</required> <rtexprvalue>false</rtexprvalue> </attribute> <attribute> <description><![CDATA[Whether to escape Javascript]]></description> <name>escapeJavaScript</name> <required>false</required> <rtexprvalue>false</rtexprvalue> </attribute> <attribute> <description><![CDATA[Whether to escape XML]]></description> <name>escapeXml</name> <required>false</required> <rtexprvalue>false</rtexprvalue> </attribute> <attribute> <description><![CDATA[Value to be displayed]]></description> <name>value</name> <required>false</required> <rtexprvalue>false</rtexprvalue> </attribute> <dynamic-attributes>false</dynamic-attributes> </tag>
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1 @@ -No tech notes needed.+JSP parsing utilizes the directive attribute 'deferredSyntaxAllowedAsLiteral' which determines if deferred statements are treated as literals. The default is false. If true, '#' will not be treated as an escape.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0945.html