The CometServerServlet does not escape the data containing apostrophes when
writing out script tags. It uses Utilities.htmlEncode which has the '
handling commented out.
What steps will reproduce the problem?
1. Try to push a string like "x'x"
2. The CometServerServlet will write out:
<script>try{window.parent.__cometDispatch('[2,1,1,["java.lang.String/200401
6611","x'x"],0,4]');}catch(e){}</script>
3. The browser will fail because the script is malformed.
What is the expected output?
The browser fails to process the script and the CometClient is not notified
of the error.
What do you see instead?
The string "x'x" being dispatched on the client
What version of the product are you using? On what operating system?
Rocket 0.56 on Windows using IE
Original issue reported on code.google.com by rich...@zschech.net on 28 Oct 2008 at 4:05
Original issue reported on code.google.com by
rich...@zschech.net
on 28 Oct 2008 at 4:05