1

In files.jsp I am using following anchor and JSTL c:url combination -

<c:url value="downloadfile.jsp" var="dwnUrl" scope="request">
  <c:param name="fileType" value="PDF"/>
  <c:param name="fileId" value="${file.fileId}"/>
  <c:param name="fileName" value="${file.fileName}"/>
  </c:url>
<a href="${dwnUrl}">Download</a>

On downloadfile.jsp getting the file name value in JavaScript variable as -

selectedFile = <c:out value='${param.fileName}'>

Now, if file name contains some extra character e.g. XYZ 2/3" Technical then on the other page I am getting some different character as - XYZ 2/3#034; Technical

However, if I print request.getParameter("fileName"), its giving correct name. What is wrong?

Improve this question
2
  • It is a bad idea to use JSP to download files. You risk template characters being appended to the file source which may corrupt binary files. Rather use a Servlet. You can find here a basic example: balusc.blogspot.com/2007/07/fileservlet.html Commented Dec 15, 2009 at 16:28
  • I can not change the existing framework. Commented Dec 16, 2009 at 11:24

3 Answers 3

Reset to default
1

The <c:out> by default escapes XML entities, such as the doublequote. This is done so to get well-formed XML and to avoid XSS.

To fix this, you should either get rid of <c:out>, since JSP 2.0, EL works perfectly fine in template text as well:

selectedFile = '${param.fileName}';

.. or, if you're still on legacy JSP 1.2 or older, set its escapeXml attribute to false:

selectedFile = '<c:out value="${param.fileName}" escapeXml="false">';

Note that I have added the singlequotes and semicolon to make JS code valid.

Needless to say, you'll need to keep XSS risks in mind if you do so.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The funky characters in your <c:param> values are being URL encoded by <c:url> as they should be. As far as downloadfile.jsp is concerned, the servlet container takes care of URL decoding incoming variables so you don't have to. This is normal behavior and shouldn't pose any problems for you.

Improve this answer

5 Comments

Well, I don't understand. Simply, I am displaying the value of "selectedFile" varible and that is showing something unexpected. In the container's (Tomcat5) configuration encoding scheme is set as "UTF8".
@Saurabh: Make sure it's not rendering as doubly encoded in files.jsp. When you view source in your browser on the rendered page for files.jsp, what does it look like?
Hi Asaph. I can see the same ugly characters in view source also i.e. XYZ 2/3#034; Technical My development environment is Eclipse. If I will open the properties of files.jsp, the text file encoding is set as default (determined from content: ISO-8859-1). Should I change this to "UTF-8"?
@Saurabh: Sure. You could try doing that. BTW: You should also try physically backspacing over that double quote symbol and actually retyping it as a UTF8 char.
Tried all but no luck. However, the problem is solved. Just change the statment as - selectedFile = <c:out escapeXml='false' value='${param.fileName}'> Thanks for your help. :)
0

If you simply turn escapeXml to false as @BalusC suggests, you will add an XSS vunerability to your page. Instead, you should encode the user input at the time of injection into the destination language, and escape characters that would be evaluated in the destination language. In this case, if the user input contained a single quote character (I'm assuming the string literal in your original example was supposed to be wrapped in single quotes, but the same would be true for double quotes if you were using them), any JavaScript code that followed it would be interpreted by the browser and executed. To safely do what you are trying to do, you should change the line in downloadfile.jsp to:

selectedFile = '${fn:replace(param.fileName, "'", "\'")}';

That will escape only single quotes, which would otherwise end the string literal declaration.

If you were using double quotes, then this would be appropriate:

selectedFile = "${fn:replace(param.fileName, '"', '\"')}";

It is worth noting that escapeXml could be appropriate for escaping JavaScript string literals (and it often is) when the string literal will eventually be dumped into HTML markup. However, in this case, the value should not be XML escaped as it is evaluated in the context of a file path, rather than in the context of HTML.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.