Item12659: NAMEFILTER setting in jQuery.extend causes invalid XHTML
Priority: Normal
Current State: Closed
Released In: 2.0.0
Target Release: major
I've noticed that the files generated on my site are not valid XML. This is not fatal, since they are shipped as
text/html
, not
application/xhtml+xml
, but as the header indicates the file as being XHTML, I still consider this rather bad form, since browsers might decide to try parsing things as XHTML.
The problem is the following:
<script type='text/javascript'>
jQuery.extend(foswiki, {
"preferences": {
…,
"NAMEFILTER": "[\s\*?~^\$@%`\"'&;|<>\[\]#\x00-\x1f]"
}});
</script><!--JQUERYPLUGIN::FOSWIKI::PREFERENCES-->
The content of that script contains
<
and
&
, both of which are invalid in this form outside a
CDATA
section of an XML file.
Looking at the sources,
JQueryPlugin/FOSWIKI.pm
in particular, I see that it simply delegates encoding to
the ENCODE macro, using
type="quote"
. This obviously isn't up to the task. The right way, in my opinion, would be writing
&
and
<
as hexadecimal escape sequences, i.e.
\x26
and
\x3c
. Having an encoding type which does this transformation, and perhaps also escapes backslashes along the way, would be useful for all situations where a string needs to be pasted into JavaScript embedded into XHTML.
--
MartinVonGagern - 20 Nov 2013
This regular expression is taken from the configuration. You should be able to fix this locally using
bin/configure
, changing the following:
From: $Foswiki::cfg{NameFilter} = '[\\s\\*?~^\\$@%`"\'&;|<>\\[\\]#\\x00-\\x1f]';
To: $Foswiki::cfg{NameFilter} = '[\\s\\*?~^\\$@%`"\'\x26;|\x3c>\\[\\]#\\x00-\\x1f]';
It's accessible in the "Security and Authentication" page, Environment Tab, as an "Expert" setting.
--
GeorgeClark - 20 Nov 2013
This is what I did manually, except I doubled the
\\
since otherwise perl will interpret them, and you are back to where you started. I tried to find the source of this line in a current svn checkout, and found a
qr/…/
regular expression instead of the string constant. But it seems that
core/lib/LocalSite.cfg
where I found that wasn't even from svn, but a local edit. I guess I'll have to grab a new clean svn checkout one of these days. Or
clean my existing one.
--
MartinVonGagern - 20 Nov 2013
lib/LocalSite.cfg
is managed by the
bin/configure
tool. The default is found in
lib/Foswiki.spec
, but that is generally not referenced again once Foswiki is installed. The initial run of
bin/configure
uses Foswiki.spec to establish the default settings and saves them into the
lib/LocalSite.cfg
. Sorry that I missed that they had to be doubled. Obviously reading a bit further on the same line shows the doubled \ for other hex values.
--
GeorgeClark - 21 Nov 2013
This is a duplicate of
Item12179
--
GeorgeClark - 24 May 2014