You are here: Foswiki>Tasks Web>Item12407 (19 Jul 2015, GeorgeClark)Edit Attach

Item12407: compare script deescapes character entities

pencil
Priority: Security
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Extension
Component: CompareRevisionsAddOn
Branches: Release01x01 trunk
Reported By: BjoernKautler
Waiting For:
Last Change By: GeorgeClark
I have a page with <pre> and <verbatim> on it. Escaped with character entities, so that it is displayed in normal topic view as text. For normal topic view this also works correctly. But the compare script deescapes those characters and makes them normal HTML tags which of course breaks the view. It is broken no matter what render parameter is set to.

-- BjoernKautler - 27 Feb 2013

Hm, for me

replacing

return $element->as_HTML( '', undef, {} );

by

return $element->as_HTML( '<>&', undef, {} );

in Compare.pm seems to fix the issue. Or does this break anything else?

-- BjoernKautler - 27 Feb 2013

There is a flag to not decode entities when building the Tree. Enabling that seems to resolve the issue.

-- GeorgeClark - 02 May 2014

For this flag, Item12337 may be relevant...

-- JanKrueger - 02 May 2014

Thanks for the fix BjoernKautler, Item12337 points out that the flag is only available in HTML::TreeBuilder > 4.0, which would complicate dependencies.

-- GeorgeClark - 02 May 2014

Unfortunately this fix doesn't completely work.

If the <pre> tag is in un-modified text then the as_HTML routine is called and the entities remain encoded. However if it's part of the modified section, then the code needs to return the HTML with the added class, and then encoding doesn't happen.

So far I'm not getting anywhere. The fix based upon HTML::Tree version 4 works fine.

Worse, it's working fine on trunk.foswiki.org but failing with local tests.

-- GeorgeClark - 03 May 2014

Extension has been uploaded, but task is "Waiting for release" until included in a Foswiki release.

-- GeorgeClark - 07 May 2014
 
Topic revision: r23 - 19 Jul 2015, GeorgeClark - This page was cached on 08 Dec 2016 - 17:52.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License