Strict Quote Escaping in Tomcat

October 30th, 2009 by Zach Cox Leave a reply »

I just started here at Source Allies (loving it here so far, btw!) and inherited an aging code base to resurrect.  It was originally deployed on Tomcat 5 and one of the issues I encountered upgrading to Tomcat 6 was strict quote escaping.  The code base has lots of JSPs with elements like this:

<some:tag title=”<%=(String)request.getAttribute(“title”)%>”>

Apparently this used to fly under the radar up until Tomcat 5.5.26, but Tomcat 5.5.27+ enforces the quoting requirements of the JSP spec.  Running this app with Tomcat 6 produced lots of exceptions like this one:

javax.servlet.jsp.JspException: ServletException in ‘/WEB-INF/content/admin/editUser.jsp’: /WEB-INF/content/admin/editUser.jsp(6,23) Attribute value (String)request.getAttribute(“title”) is quoted with ” which must be escaped when used within the value

Now, we all know that double-quotes within double-quotes is a no-no and should be fixed by either using single quotes to enclose the attribute value:

<some:tag title=’<%=(String)request.getAttribute(“title”)%>’>

or by escaping the inner double-quotes:

<some:tag title=”<%=(String)request.getAttribute(\”title\”)%>”>

However in this case we just needed to get the app up & running quickly so I found a quick, temporary workaround instead of fixing all of the improperly formatted quotes.  Setting org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false in $TOMCAT_HOME/conf/catalina.properties allows the double-quotes within double-quotes, and no more exceptions!

Advertisement

5 comments

  1. Kevin Jansz says:

    Thanks for posting this, very helpful.

    I would have thought everything inside the should be a valid java statement that evaluates to something (eg a String; boolean; etc). In which case the escaped inner double-quoted exampled just reads wrong to me. Also seems strange that STRICT_QUOTE_ESCAPING=true would be the default if jasper can handle the stuff inside the properly.

    That’s just my option(s) though. I can report I’ve seen some inconsistency in treatment of quotes from points release of tomcat – in particular 6.0.24 seems to treats STRICT_QUOTE_ESCAPING as true where as 6.0.20 treats STRICT_QUOTE_ESCAPING as false.

    I guess the moral is use single quotes for tag attributes where possible or set the parser setting explicitly.

  2. Kevin Jansz says:

    Thanks for posting this, very helpful.

    I would have thought everything inside the >%= .. < should be a valid java statement that evaluates to something (eg a String; boolean; etc). In which case the escaped inner double-quoted exampled just reads wrong to me. Also seems strange that STRICT_QUOTE_ESCAPING=true would be the default if jasper can handle the stuff inside the >%= .. < properly.

    That’s just my option(s) though. I can report I’ve seen some inconsistency in treatment of quotes from points release of tomcat – in particular 6.0.24 seems to treats STRICT_QUOTE_ESCAPING as true where as 6.0.20 treats STRICT_QUOTE_ESCAPING as false.

    I guess the moral is use single quotes for tag attributes where possible or set the parser setting explicitly.

    (sorry, I’ll try comment again with escaping of the > <)

  3. I finally bookmarked your website. I always find great material along with comments.

  4. Alireza says:

    Thanks for the helpful link, but I have the same problem with Weblogic 10, is there any similar parameters for weblogic?

  5. Nnitesh says:

    I solved the problem by :
    org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false

    Adding the above line in catalina.properties

    restart the tomcat server and the problem is resolved cheers

Leave a Reply

*