I work on a Java EE web application that uses a combination of Dojo and plain javascript for the front-end.
We've discovered that when ResourceBundle properties are used in javascript, in some cases they end up breaking code.
Specifically, this happens when the properties contain quotes (single and double) & escape sequences (\n, \s ...).
The solution seems to be to include extra escape characters. For instance, \n needs to be prepended by one more slash (\\n) when used in a Js alert
to correctly render the line break, and Quotes if not escaped truncate the content prematurely for obvious reasons.
Our solution to the above issues so far has been to put in the extra escape characters in the property files itself. But this is something that we would like to move away from.
It seems like this might be a widespread problem and I'd like to hear from the experts on how you might have solved this problem.
Current Usage: key=A newline is represented with \\n and this \" is within quotes \".
Envisioned Usage : key=A newline is represented with \n and this " is within quotes ".
PS: We typically use the <fmt:message> tag to access these values in the front end and for use in javascript.
Consider using StringUtils. If has a method to escape input like yours.
http://commons.apache.org/lang/api-2.5/org/apache/commons/lang/StringEscapeUtils.html#escapeJava(java.lang.String)
Related
I have a properties file, and I need to use the / forward slash in some of my keys.
e.g.
app.module/hdr.key1=value 1
app.module/hdr.key2=value 2
I just have no choice but need to do it that way. Please advise is this achievable and how to do this?
Thanks.
The use of forward slashes will not cause a problem. To understand why, I suggest you read a critique of the syntax used in Java properties that I wrote. In essence, what you need to know is the following:
Leaving aside edge cases (comment lines, blank lines and escape sequences), the syntax of a name=value pair permits almost any character (including forward-slashes) in the name.
The = can actually be any of the following: (1) = (optionally preceded and/or followed by whitespace); (2) : (optionally preceded and/or followed by whitespace); or (3) just whitespace. So, yes name=value is equivalent to name:value and also to name value.
All escape sequences begin with the backslash character. For details of the escape sequences, I suggest you do a Google search for java.util.Properties to find online documentation for that class, and look at the long description of the load(InputStream) method.
On my current project, we are using properties files for strings. Those strings are then "formatted" using MessageFormat. Unfortunately, MessagFormat has a handling of single quotes that becomes a bit of a hindrance in languages, such as French, which use a lot of apostrophes.
For instance, suppose we have this entry
login.userUnknown=User {0} does not exist
When this gets translated into French, we get:
login.userUnknown=L'utilisateur {0} n'existe pas
This, MessageFormat does not like...
And I, do not like the following, i.e. having to use double quotes:
login.userUnknown=L''utilisateur {0} n''existe pas
The reason I don't like it is that it causes spellchecking errors everywhere.
Question: I am looking for an alternative to the instruction below, an alternative that does not need doubling quotes but still uses positional placeholders ({0}, {1}…). Is there anything else that can I use?
MessageFormat.format(Messages.getString("login.userUnkown"), username);
No there is no other way as it is how we are supposed to do it according to the javadoc.
A single quote itself must be represented by doubled single quotes '' throughout a String
As workaround, what you could do is doing it programmatically using replace("'", "''") or for this particular use case you could use the apostrophe character instead which is ’ it would be even more correct actually than using a single quote.
Probably too late for you, but someone else might find this useful: Instead of Java's MessageFormat, use ICU (International Components for Unicode) (or rather its Java port ICU4J). It's basically a set of tools and data to support you in internationalizing your application. And among those tools is their own version of MessageFormat. It's very similar (maybe even backwards compatible) and can handle single quotes exactly like you want it. It can even handle doubled/escaped single quotes so you can try it as a drop-in replacement for Java's MessageFormat without having to unescape your single quotes first.
The return value of a value from getPath() from the File Class is something like this
"C:\Users\Daniel\Desktop\ASDF.mp3".
To use the Desktop class from java to play a file, the path would have to be fed into a file, with a path similar to
"C:\\Users\\Daniel\\Desktop\\ASDF.mp3"
Since the \ is a reserved character(From my understanding) to make a new file you must use a double backslash to dictate that it is a file. My problem is that when I try to get the path I need to transform it into a double slash version. The .replaceAll() method doesn't allow for '\' since it's a reserved character but the .replace() method does.
To work around this would I just have to loop through to find all instances and replace them one at a time? Or is there a simpler work around? Also I would like to know if I am receiving this error due to it being a reserved character, or if I am completely wrong.
The two strings above are actually exactly the same.
When Java or other language outputs a string it only displays one slash '\', but when you are typing the string into double quotes you need double backslash '\\' so the Java parser knows it's one slash. Backslash is used for many other escape characters, so this is only way parser will know.
(Even when typing this answer, I needed 4 backslashes to make only 2!
I need a simple way to implement the contains function using matches. I believe this is my starting point:
xxx.matches("'.*yyy.*'");
But I need to make it a universal method and pre-process whatever I search for to be accepted by matches! This must be done using only the escape '\' character!
Imagine a string SEARCH_FOR that can contain some special characters that must be "regex escaped"...
String SEARCH_FOR="*.\\"
xxx.matches("'.*" + SEARCH_FOR + ".*'");
Are there any catches? Special situations? Any other "special chars should be taken into account?
Are you looking for Pattern.quote(String) ?
This escapes special characters for you.
EDIT:
After reading the comments, I really hope you try Pattern.quote(yourString.toLowerCase()) as it sounds like you've been using Pattern.quote(yourString).toLowerCase(). If DataNucleus is applying the regex then there should be no problems with using the \Q and \E escape sequence.
Since you have really asked for it, ".\\".replaceAll("(\\.|\\$|\\+|\\*|\\\\)", "\\\\\$1") outputs \.\\
This will escape .'s, $'s, + 's, *'s and \'s. Note that the security of this is now all upon you. If you don't escape something you needed to, or you escape it incorrectly, you will either allow people to use regex inside the search term when you weren't expecting to or it won't returns results that you were expecting.
I've been using Apache's StringEscapeUtils for HTML entities, but if you want to escape HTML attribute values, is there a standard way to do this? I guess that using the escapeHtml function won't cut it, since otherwise why would the Owasp
Encoder interface have two different methods to cope with this?
Does anyone know what is involved in escaping HTML attributes vs. entities and what to do about attribute encoding in the case that you don't have the Owasp library to hand?
It looks like this is Rule #2 of the Owasp's XSS Prevention Cheat Sheet. Note the bit where is says:
Properly quoted attributes can only be escaped with the corresponding
quote
Therefore, I guess so long as the attributes are correctly bounded with double or single quotes and you escape these (i.e. double quote (") becomes " and single quote (') becomes ' (or ')) then you should be ok. Note that Apache's StringEscapeUtils.escapeHtml will be insufficient for this task since it does not escape the single quote ('); you should use the String's replaceAll method to do this.
Otherwise, if the attribute is written: <div attr=some_value> then you need to follow the recommendation on that page and..
escape all characters with ASCII values less than 256 with the &#xHH;
format (or a named entity if available) to prevent switching out of
the attribute
Not sure if there a non-Owasp standard implementation of this though. However, it guess it's good practice not to write attributes in this manner anyway!
Note that this is only valid when you are putting in a standard attribute values, if the attribute is a href or some JavaScript handler, then it's a different story. For examples of possible XSS scripting attacks that can occur from unsafe code inside event handler attributes see: http://ha.ckers.org/xss.html.