Values suddenly returned html encoded in template?

playframework / play1

Play framework

https://www.playframework.com/documentation/1.4.x/home

Other

1.58k stars 683 forks source link

Values suddenly returned html encoded in template? #1419

Open Axxoul opened 2 years ago

Axxoul commented 2 years ago

Play Version (1.5.x / etc)

1.7.1

Operating System (Ubuntu 15.10 / MacOS 10.10 / Windows 10)

Windows 11

JDK (Oracle 1.8.0_72, OpenJDK 1.8.x, Azul Zing)

jdk-11.0.15.1

Library Dependencies

db.driver=com.mysql.cj.jdbc.Driver jpa.dialect=org.hibernate.dialect.MySQL8Dialect hibernate.temp.use_jdbc_metadata_defaults=false

Expected Behavior

My template fetches temperatures in the database using : ${obj.minTemp} All values are stored in mysql database as DOUBLES

With play 1.5, for negative temperatures, I would get -15 --> Expected

Actual Behavior

Since upgrading to Play 1.7.1, ${obj.minTemp} returns −15 When calling .raw() I get −15 which is causing the JS to fail since the returned − is not being parsed as -

asolntsev commented 2 years ago

@Axxoul but why is this a problem? Yes, it's normal to encode all texts before rendering them in html.

tazmaniax commented 2 years ago

@Axxoul can you provide some more code showing how you're using ${obj.minTemp} in the template?

Axxoul commented 2 years ago

PS: I just upgraded from 1.5 (where everything was OK) to 1.71. I am guessing this is to do with the data being mistakenly treated as a string from the mysql DB ?

@asolntsev This is a problem since it is breaking our Javascript. @tazmaniax see below:

series: [{
    name: 'temp',
    color: '#000000',
    data: [#{list items:prod.weather(), as:'w'} ${w.avgTemp()} #{if w_isLast}#{/if}#{else},#{/else}#{/list}]
}]

this renders to:

series: [{
    name: 'Medel',
    color: '#000000',
    data: [ &minus;3 ,   &minus;6 ,   &minus;2 ,   4 ,   7 ,   12 ,   15 ,   15 ,   12 ,   8 ,   3 ,   &minus;3    ]
}]

which breaks the JS

Axxoul commented 2 years ago

Ok just checked and avgTemp() returns a String.

So I guess this is working as intended, but Play 1.5 was just returning the string "as is" (i.e. -15) whereas somewhere along the upgrades the string is returned encoded? (i.e −15)

asolntsev commented 2 years ago

@Axxoul Is this series: [{ ... }] inside of a <script> block? The initial idea was to make the encoding smart: values inside of html and javascript blocks should be encoded differently. So JS code should stay valid in theory.