Sharing Our Passion For Technology
& continuous learning
〈  Back to Blog

Strict Quote Escaping in Tomcat

By Zach Cox | October 30, 2009 | Development

I just started here at Source Allies (loving it here so far, btw!) and inherited an aging code base to resurrect. It was originally deployed on Tomcat 5 and one of the issues I encountered upgrading to Tomcat 6 was strict quote escaping. The code base has lots of JSPs with elements like this:

<some:tag title="<%=(String)request.getAttribute("title")%>">

Apparently this used to fly under the radar up until Tomcat 5.5.26, but Tomcat 5.5.27+ enforces the quoting requirements of the JSP spec. Running this app with Tomcat 6 produced lots of exceptions like this one:

javax.servlet.jsp.JspException: ServletException in '/WEB-INF/content/admin/editUser.jsp': /WEB-INF/content/admin/editUser.jsp(6,23) Attribute value (String)request.getAttribute("title") is quoted with " which must be escaped when used within the value

Now, we all know that double-quotes within double-quotes is a no-no and should be fixed by either using single quotes to enclose the attribute value:

<some:tag title='<%=(String)request.getAttribute("title")%>'>

or by escaping the inner double-quotes:

<some:tag title="<%=(String)request.getAttribute(\"title\")%>">

However in this case we just needed to get the app up & running quickly so I found a quick, temporary workaround instead of fixing all of the improperly formatted quotes. Setting org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false in $TOMCAT_HOME/conf/catalina.properties allows the double-quotes within double-quotes, and no more exceptions!

〈  Back to Blog