Item12407: compare script deescapes character entities
Priority: Security
Current State: Closed
Released In: 2.0.0
Target Release: major
I have a page with <pre> and <verbatim> on it. Escaped with character entities, so that it is displayed in normal topic view as text.
For normal topic view this also works correctly.
But the compare script deescapes those characters and makes them normal HTML tags which of course breaks the view.
It is broken no matter what render parameter is set to.
--
BjoernKautler - 27 Feb 2013
Hm, for me
replacing
return $element->as_HTML( '', undef, {} );
by
return $element->as_HTML( '<>&', undef, {} );
in
Compare.pm
seems to fix the issue. Or does this break anything else?
--
BjoernKautler - 27 Feb 2013
There is a flag to not decode entities when building the Tree. Enabling that seems to resolve the issue.
--
GeorgeClark - 02 May 2014
For this flag,
Item12337 may be relevant...
--
JanKrueger - 02 May 2014
Thanks for the fix
BjoernKautler,
Item12337 points out that the flag is only available in HTML::TreeBuilder > 4.0, which would complicate dependencies.
--
GeorgeClark - 02 May 2014
Unfortunately this fix doesn't completely work.
If the <pre> tag is in un-modified text then the as_HTML routine is called and the entities remain encoded. However if it's part of the modified section, then the code needs to return the HTML with the added class, and then encoding doesn't happen.
So far I'm not getting anywhere. The fix based upon HTML::Tree version 4 works fine.
Worse, it's working fine on trunk.foswiki.org but failing with local tests.
--
GeorgeClark - 03 May 2014
Extension has been uploaded, but task is "Waiting for release" until included in a Foswiki release.
--
GeorgeClark - 07 May 2014