Item12179: JQueryPlugin::FOSWIKI: not properly escaping NAMEFILTER preference.

JQueryPlugin::FOSWIKI is responsible for making preference values available to various JavaScript functions. It does this by inserting a JSON definition into the page. Unfortunately, the current escaping mechanism for the strings is insufficient.

• Currently, the only that gets escaped is double quote characters (it does this by outputting %ENCODE{"[pref here]" type="quote"}%).
• We need to doublify backslashes at the very least (i.e. \ → \\, and also encode basic HTML characters (<>&) as entities in order to pass XHTML validation.

This is fairly tricky because, according to GeorgeClark, we can't properly expand the contents of the preferences this early in the code, so we do have to let the normal Render take care of the escaping. There is no ENCODE mode that will doublify backslashes, though.

The impact is that webtopiccreator.js will fail to fix the topic field if non-WikiWords are allowed.

-- JanKrueger - 22 Oct 2012

Does it help if we put the <script> inside an CDATA section? As we should probably doing this anyway.

Something like

<script type="text/javascript">
    // <![CDATA[
    alert('foo');
    // ]]>
</script>

-- PaulHarvey - 23 Oct 2012

Indeed. The only browser that I know of that could take exception with that is Internet Explorer 6... but even so, that just removes the problem for <, > and &. We still need to make sure double quotes and backslashes are backslash-escaped, then.

PS. IE6 is probably broken anyway, since we're not sending the pages with the proper XHTML MIME type (if we did, conforming browsers wouldn't currently be rendering the pages at all).

-- JanKrueger - 23 Oct 2012

This is partially fixed in Item12659 by encoding the two characters that fail the XHTML validation, &tl; and & Leaving this task open to possibly be addressed with a more general solution.

-- GeorgeClark - 24 May 2014

Long term, PatternSkin should move to a HTML5 doctype, where this isn't an issue.

-- MichaelDaum - 26 May 2014

Deferring to 1.2.1 or later for a more thorough fix.

-- GeorgeClark - 15 Mar 2015

Problem is that we are not using JSON.pm to create the json object. In addition this is done using an unsafe inline script. Soluition is to make it a text/json and parse it into foswiki.preferences as part of jquery.foswiki's init.

-- MichaelDaum - 22 Sep 2015

Commenting is disabled while not logged in