Why is Oracle ADF not escaping quotes for me when I use <h:outputText/>?

Question

Why is Oracle ADF not escaping quotes for me when I use to build up strings in Javascript?

<jsp:root ...>
 <f:view ...>
  <afh:html>
   <f:loadBundle basename="message" var="msg"/>
   <afh:head ...>
    <script>
     function validate() {
      var errorMessages = '';
      .
      .
      if (regNum == '') {
       errorMessages = errorMessages + '<h:outputText value='#{msg['getDetails.validate.regNum']}"/>' + '\r\n';
      }
      .
      .

In my message resources file I have something like

getDetails.validate.regNum=I'd enter the registration number if I were you.

The real text is is in Irish with accented characters and I can see that the accented characters get escaped but not the quote character.

Answer 1

<h:outputText value='#{msg['getDetails.validate.regNum']}"/>

The intent of the outputText JSF component is to emit character data (it can emit a styled span element, for example). Although the exact form emmitted by its renderer is an implementation detail, nothing in its specification suggests that it is suitable for attribute or JavaScript string literal encoding.

Text content will generally be emitted by the ResponseWriter.writeText methods. Quote marks don't need to be escaped in character data.

The encoding of the accented characters is either due to them not being present in your response encoding or an overly cautious ResponseWriter implementation that is guarding against encoding problems. Characters in the ASCII set are unlikely to be escaped in this manner.

Answer 2

Because singlequotes are not illegal in HTML.

But they are in JS. You can use fn:replace() to escape them.

<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
...
<script>
   var foo = '<h:outputText value="#{fn:replace(msg['getDetails.validate.regNum'], "'", "\'")}"/>';