#921 Single quotes not escaped correctly in tooltips

closed-fixed
General (896)
5
2009-03-25
2009-03-17
Fawad Halim
No

The ToolTipFragmentGenerator classes use ImageMapUtilities.htmlEscape for escaping text. This is insufficient for the Javascript based tooltip generators (DynamicDriveToolTipTagFragmentGenerator, OverLIBToolTipTagFragmentGenerator) because the single quote only gets escaped to the HTML entity '. This breaks tooltips for text containing the single quote because the ' gets expanded to the single quote without the backslash to escape it. The user sees a javascript error when the mouse is moved over an area with such a text.

The attached copy of ImageMapUtilities (modified from the 1.0.12 release) introduces another helper function (javascriptEscape) that prepends a backslash to the single quote before passing it on to the htmlEscape function. The attached copies of DynamicDriveToolTipTagFragmentGenerator and OverLIBToolTipTagFragmentGenerator use this function.

I have also attached a small HTML file (escaping.html) that demonstrates the problem with the current escaping approach.

Discussion

  • Fawad Halim

    Fawad Halim - 2009-03-17

    HTML file demonstrating escaping problem for javascript ToolTipFragmentGenerators

     
  • Fawad Halim

    Fawad Halim - 2009-03-17

    Added javascriptEscape function to escape quotes correctly for javascript literals.

     
  • David Gilbert

    David Gilbert - 2009-03-19
    • assigned_to: nobody --> mungady
    • status: open --> closed-fixed
     
  • David Gilbert

    David Gilbert - 2009-03-19

    Thanks for the report. I've committed your fix to Subversion for inclusion in the 1.0.13 release.

    Best regards,

    Dave Gilbert
    JFreeChart Project Leader

     
  • David Gilbert

    David Gilbert - 2009-03-25

    Reopening because the fix needs modifying to compile under JDK 1.3.1.

     
  • David Gilbert

    David Gilbert - 2009-03-25
    • status: closed-fixed --> open
     
  • David Gilbert

    David Gilbert - 2009-03-25

    OK, I've reimplemented the javascriptEscape() method and added some JUnit tests. I removed the call to also perform the HTML escaping, as I'm not convinced that it is required to create a JavaScript string literal. I could be wrong though, so please check the code and JUnit tests.

     
  • David Gilbert

    David Gilbert - 2009-03-25
    • status: open --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks