Why is " a unsafe character?

[reisi007]

Hi,

Regarding the following source snippets:

flexmark-java/flexmark-util-sequence/src/main/java/com/vladsch/flexmark/util/sequence/Escaping.java

Lines 43 to 45 in c0313d6

	final private static String XML_SPECIAL = "[&<>\"]";
	final private static Pattern XML_SPECIAL_RE = Pattern.compile(XML_SPECIAL);

flexmark-java/flexmark-util-sequence/src/main/java/com/vladsch/flexmark/util/sequence/Escaping.java

Lines 64 to 78 in c0313d6

	final private static Replacer UNSAFE_CHAR_REPLACER = new Replacer() {
	@Override
	public void replace(@NotNull String s, @NotNull StringBuilder sb) {
	if (s.equals("&")) {
	sb.append("&");
	} else if (s.equals("<")) {
	sb.append("&lt;");
	} else if (s.equals(">")) {
	sb.append("&gt;");
	} else if (s.equals("\"")) {
	sb.append("&quot;");
	} else {
	sb.append(s);
	}
	}

Why is the " character is considered unsafe in the following context?

My usecase: I am processing Markdown, which is then processed using velocity. I rely on the fact that " is outputted as " and not as ".

I am parsing the following line of markdown (which is a function call in velocity)

$object.myfun("myString")

Expected:

$object.myfun("myString")

Actual:

$object.myfun("myString")

Sources that this is valid:

• https://pagedart.com/blog/single-quote-in-html/
• https://stackoverflow.com/questions/2210430/are-single-quotes-valid-in-html-xhtml (Strictest answer says that " is not allowed in attribute, but says nothing about plain text)

Workaround:

I am currently setting the XML_SPECIAL_RE field with my own replacer, which ignores the "case.

Proposed solution:

flexmark-java/flexmark-util-html/src/main/java/com/vladsch/flexmark/util/html/HtmlAppendableBase.java

Line 128 in c0313d6

appendable.append(Escaping.escapeHtml(s, false));

 appendable.append(s);

Thanks for your time!

[vsch]

My apologies for taking a year to address this. You are right. This was probably inherited from original code.

I will merge your PR for next release.

[reisi007]

Hi :)

It's okay. Hm....

Seeing it now there is a downside to this solution as well... Links for example . If the String "bla" contained a ", it would break the generated HTML.

So might be better to have a better workaround than that (I can look into this if you think that the solution above is not good enough)

[vsch]

I had to back out the merge because the CommonMark spec tests require this behaviour.

If you can please go ahead with a better workaround. For the next while I am going to be busy with updates to flexmark and my JetBrains Markdown Navigator plugin so will not have time to address this.

[reisi007]

It's okay :)

However I cannot run the following test

com.vladsch.flexmark.integration.test.SpecIntegrationTest

java.lang.AssertionError: Resource path: 'D:\com\vladsch\flexmark\test\util\spec.txt' not found.

We can also leave that for now, I have a workaround for my project :) And I guess I am off spec TBH