Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#921 Single quotes not escaped correctly in tooltips

closed-fixed
David Gilbert
General (896)
5
2009-03-25
2009-03-17
Fawad Halim
No

The ToolTipFragmentGenerator classes use ImageMapUtilities.htmlEscape for escaping text. This is insufficient for the Javascript based tooltip generators (DynamicDriveToolTipTagFragmentGenerator, OverLIBToolTipTagFragmentGenerator) because the single quote only gets escaped to the HTML entity '. This breaks tooltips for text containing the single quote because the ' gets expanded to the single quote without the backslash to escape it. The user sees a javascript error when the mouse is moved over an area with such a text.

The attached copy of ImageMapUtilities (modified from the 1.0.12 release) introduces another helper function (javascriptEscape) that prepends a backslash to the single quote before passing it on to the htmlEscape function. The attached copies of DynamicDriveToolTipTagFragmentGenerator and OverLIBToolTipTagFragmentGenerator use this function.

I have also attached a small HTML file (escaping.html) that demonstrates the problem with the current escaping approach.

Discussion

  • Fawad Halim
    Fawad Halim
    2009-03-17

    HTML file demonstrating escaping problem for javascript ToolTipFragmentGenerators

     
    Attachments
  • Fawad Halim
    Fawad Halim
    2009-03-17

    Added javascriptEscape function to escape quotes correctly for javascript literals.

     
  • David Gilbert
    David Gilbert
    2009-03-19

    • assigned_to: nobody --> mungady
    • status: open --> closed-fixed
     
  • David Gilbert
    David Gilbert
    2009-03-19

    Thanks for the report. I've committed your fix to Subversion for inclusion in the 1.0.13 release.

    Best regards,

    Dave Gilbert
    JFreeChart Project Leader

     
  • David Gilbert
    David Gilbert
    2009-03-25

    Reopening because the fix needs modifying to compile under JDK 1.3.1.

     
  • David Gilbert
    David Gilbert
    2009-03-25

    • status: closed-fixed --> open
     
  • David Gilbert
    David Gilbert
    2009-03-25

    OK, I've reimplemented the javascriptEscape() method and added some JUnit tests. I removed the call to also perform the HTML escaping, as I'm not convinced that it is required to create a JavaScript string literal. I could be wrong though, so please check the code and JUnit tests.

     
  • David Gilbert
    David Gilbert
    2009-03-25

    • status: open --> closed-fixed