Re: web frontend encodes JavaScript

To: Thijs Kinkhorst <thijs@debian.org>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: web frontend encodes JavaScript
From: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 31 Aug 2007 21:12:24 +0200
Message-id: <[🔎] 87wsvbtt5z.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 200708311324.45428.thijs@debian.org> (Thijs Kinkhorst's message of "Fri, 31 Aug 2007 13:24:43 +0200")
References: <[🔎] 200708311324.45428.thijs@debian.org>

* Thijs Kinkhorst:

> The security tracker frontend encodes JavaScript, resulting in an invalid 
> if-construct like below (the &gt; in the third line):
>
> function onSearch(query) {
>   if (old_query_value == "") {
>     if (query.length &gt; 5) {

It's a bit difficult to fix this.  I was rather surprised that
browsers do not HTML-decode Javascript program text in XHTML
documents.  It seems that you need to write non-well-formed XML
instead.

The web framework was specifically designed not to be able to write
unencoded HTML, that's why this is hard to fix nicely. 8-/

(Changing ">" to "&gt;" in the source will result in "&amp;gt; in the
output.)

Reply to:

References:
- web frontend encodes JavaScript
  - From: Thijs Kinkhorst <thijs@debian.org>

Prev by Date: Re: pre-commit hook to check syntax
Previous by thread: Re: web frontend encodes JavaScript
Index(es):
- Date
- Thread