You are here: Foswiki>Tasks Web>Item12659 (05 Jul 2015, GeorgeClark)Edit Attach

Item12659: NAMEFILTER setting in jQuery.extend causes invalid XHTML

Priority: Normal
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Component: Configure, JQueryPlugin, JavaScript
Branches: trunk
Reported By: MartinVonGagern
Waiting For:
Last Change By: GeorgeClark
I've noticed that the files generated on my site are not valid XML. This is not fatal, since they are shipped as text/html, not application/xhtml+xml, but as the header indicates the file as being XHTML, I still consider this rather bad form, since browsers might decide to try parsing things as XHTML.

The problem is the following:

<script type='text/javascript'>
jQuery.extend(foswiki, {
 "preferences": {
    "NAMEFILTER": "[\s\*?~^\$@%`\"'&;|<>\[\]#\x00-\x1f]"

The content of that script contains < and &, both of which are invalid in this form outside a CDATA section of an XML file.

Looking at the sources, JQueryPlugin/ in particular, I see that it simply delegates encoding to the ENCODE macro, using type="quote". This obviously isn't up to the task. The right way, in my opinion, would be writing & and < as hexadecimal escape sequences, i.e. \x26 and \x3c. Having an encoding type which does this transformation, and perhaps also escapes backslashes along the way, would be useful for all situations where a string needs to be pasted into JavaScript embedded into XHTML.

-- MartinVonGagern - 20 Nov 2013

This regular expression is taken from the configuration. You should be able to fix this locally using bin/configure, changing the following:

From: $Foswiki::cfg{NameFilter} = '[\\s\\*?~^\\$@%`"\'&;|<>\\[\\]#\\x00-\\x1f]';
  To: $Foswiki::cfg{NameFilter} = '[\\s\\*?~^\\$@%`"\'\x26;|\x3c>\\[\\]#\\x00-\\x1f]';

It's accessible in the "Security and Authentication" page, Environment Tab, as an "Expert" setting.

-- GeorgeClark - 20 Nov 2013

This is what I did manually, except I doubled the \\ since otherwise perl will interpret them, and you are back to where you started. I tried to find the source of this line in a current svn checkout, and found a qr/…/ regular expression instead of the string constant. But it seems that core/lib/LocalSite.cfg where I found that wasn't even from svn, but a local edit. I guess I'll have to grab a new clean svn checkout one of these days. Or clean my existing one.

-- MartinVonGagern - 20 Nov 2013

lib/LocalSite.cfg is managed by the bin/configure tool. The default is found in lib/Foswiki.spec, but that is generally not referenced again once Foswiki is installed. The initial run of bin/configure uses Foswiki.spec to establish the default settings and saves them into the lib/LocalSite.cfg. Sorry that I missed that they had to be doubled. Obviously reading a bit further on the same line shows the doubled \ for other hex values.

-- GeorgeClark - 21 Nov 2013

This is a duplicate of Item12179

-- GeorgeClark - 24 May 2014

ItemTemplate edit

Summary NAMEFILTER setting in jQuery.extend causes invalid XHTML
ReportedBy MartinVonGagern
Codebase 1.1.9, 1.1.8, trunk
SVN Range
AppliesTo Engine
Component Configure, JQueryPlugin, JavaScript
Priority Normal
CurrentState Closed
Checkins distro:ff546e21c4ff
TargetRelease major
ReleasedIn 2.0.0
CheckinsOnBranches trunk
trunkCheckins distro:ff546e21c4ff
Topic revision: r8 - 05 Jul 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy