You are here: Foswiki>Tasks Web>Item12179 (10 Oct 2015, GeorgeClark)Edit Attach

Item12179: JQueryPlugin::FOSWIKI: not properly escaping NAMEFILTER preference.

pencil
Priority: Normal
Current State: Closed
Released In: 2.0.2
Target Release: patch
Applies To: Extension
Component: JQueryPlugin
Branches: master
Reported By: JanKrueger
Waiting For:
Last Change By: GeorgeClark
JQueryPlugin::FOSWIKI is responsible for making preference values available to various JavaScript functions. It does this by inserting a JSON definition into the page. Unfortunately, the current escaping mechanism for the strings is insufficient.

  • Currently, the only that gets escaped is double quote characters (it does this by outputting %ENCODE{"[pref here]" type="quote"}%).
  • We need to doublify backslashes at the very least (i.e. \\\, and also encode basic HTML characters (<>&) as entities in order to pass XHTML validation.

This is fairly tricky because, according to GeorgeClark, we can't properly expand the contents of the preferences this early in the code, so we do have to let the normal Render take care of the escaping. There is no ENCODE mode that will doublify backslashes, though.

The impact is that webtopiccreator.js will fail to fix the topic field if non-WikiWords are allowed.

-- JanKrueger - 22 Oct 2012

Does it help if we put the <script> inside an CDATA section? As we should probably doing this anyway.

Something like
<script type="text/javascript">
    // <![CDATA[
    alert('foo');
    // ]]>
</script>

-- PaulHarvey - 23 Oct 2012

Indeed. The only browser that I know of that could take exception with that is Internet Explorer 6... but even so, that just removes the problem for <, > and &. We still need to make sure double quotes and backslashes are backslash-escaped, then.

PS. IE6 is probably broken anyway, since we're not sending the pages with the proper XHTML MIME type (if we did, conforming browsers wouldn't currently be rendering the pages at all).

-- JanKrueger - 23 Oct 2012

This is partially fixed in Item12659 by encoding the two characters that fail the XHTML validation, &tl; and & Leaving this task open to possibly be addressed with a more general solution.

-- GeorgeClark - 24 May 2014

Long term, PatternSkin should move to a HTML5 doctype, where this isn't an issue.

-- MichaelDaum - 26 May 2014

Deferring to 1.2.1 or later for a more thorough fix.

-- GeorgeClark - 15 Mar 2015

Problem is that we are not using JSON.pm to create the json object. In addition this is done using an unsafe inline script. Soluition is to make it a text/json and parse it into foswiki.preferences as part of jquery.foswiki's init.

-- MichaelDaum - 22 Sep 2015
 
Topic revision: r12 - 10 Oct 2015, GeorgeClark - This page was cached on 29 May 2016 - 08:00.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License