Closed
Bug 245399
Opened 20 years ago
Closed 20 years ago
nsEscapeHTML* should escape single quote
Categories
(Core :: XPCOM, defect)
Core
XPCOM
Tracking
()
RESOLVED
FIXED
People
(Reporter: BenB, Assigned: BenB)
Details
Attachments
(2 files, 1 obsolete file)
1.69 KB,
patch
|
Details | Diff | Splinter Review | |
1.78 KB,
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
See bug 243040 comment 11 ff. May be security bug. May break stuff. I'll attach a patch, but I won't garantee for anything and don't want to be held liable for any possible fallout.
Assignee | ||
Updated•20 years ago
|
Group: security
Status: NEW → ASSIGNED
Updated•20 years ago
|
Summary: nsEscape should escape single quote → nsEscapeHTML2 should escape single quote
Assignee | ||
Comment 1•20 years ago
|
||
Fix. nsEscapeHTML* really shouldn't hardcode the max entity length in the buffer allocation. I *almost* caused a (small) buffer overflow here!
Assignee | ||
Updated•20 years ago
|
Attachment #149956 -
Flags: superreview?(jst)
Attachment #149956 -
Flags: review?(darin)
Comment 2•20 years ago
|
||
In bug 243040 I asked about the difference between the various routines in nsEscape, both vs. each other, and when it's appropriate to use nsEscapeHTML and nsEscapeHTML2 instead of the entity converters that live in the intl libraries, e.g. NS_ENTITYCONVERTER_CONTRACTID. This isn't Ben's problem and shouldn't block bug 243040, but it would be great if someone who understands the issue could comment on it, or, ideally, add a comment in nsEscape.h explaining the use of those two routines. Is the difference that nsEscapeHTML* are meant for cases where we're creating text that we're immediately intending to parse, but otherwise don't want entity conversion?
Assignee | ||
Comment 3•20 years ago
|
||
I intended to add a comment about nsEscapeHTML* in a later version of the patch. I don't know what the diff between nsEscape() and NS_EscapeURL is, though.
Comment 4•20 years ago
|
||
Comment on attachment 149956 [details] [diff] [review] Fix, v1 - PRUnichar *resultBuffer = (PRUnichar *)nsMemory::Alloc(aSourceBufferLen*6*sizeof(PRUnichar) + sizeof(PRUnichar('\0'))); + // XXX don't hardcode max entity len + PRUnichar *resultBuffer = (PRUnichar *)nsMemory::Alloc(aSourceBufferLen*7*sizeof(PRUnichar) + sizeof(PRUnichar('\0'))); If you're going to add that comment here, add it in the other place too, or just leave it out (my preference). sr=jst
Attachment #149956 -
Flags: superreview?(jst) → superreview+
Updated•20 years ago
|
Attachment #149956 -
Flags: review?(darin) → review+
Assignee | ||
Comment 5•20 years ago
|
||
Actually, there are not as many callers as I thought: <http://lxr.mozilla.org/seamonkey/search?string=nsEscapeHTML>. Mainly bookmarks and Mailnews in a few places each. This actually looks bogus to me, because I'd guess that escaping would be needed in many places - either they places are not escaping properly or duplicate the code or it's not needed as often as I think :).
Assignee | ||
Comment 6•20 years ago
|
||
This is the version I checked in. Identical to last version, with comment changes requested.
Attachment #149956 -
Attachment is obsolete: true
Assignee | ||
Comment 7•20 years ago
|
||
FIXED. I'll add the comment/doc mentioned in comment2/3, if/when I have a chance later.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Summary: nsEscapeHTML2 should escape single quote → nsEscapeHTML* should escape single quote
Comment 8•20 years ago
|
||
Shouldn't "'" be escaped to "'" instead of "‘"?
Assignee | ||
Comment 9•20 years ago
|
||
I don't know, but apos is not listed on <http://www.w3.org/TR/REC-html40/sgml/entities.html>
Comment 10•20 years ago
|
||
I guess "'" is only defined in XHTML. For HTML, "'" can be used instead. This is what e.g. PHP's htmlspecialchars() <http://www.php.net/manual/en/function.htmlspecialchars.php> does.
Comment 11•20 years ago
|
||
This broke apostrophe's in bookmark names.
Assignee | ||
Comment 12•20 years ago
|
||
Bug 245758. I said I won't fix fallout. This bug is fixed, bookmarks need to be fixed. Closing again.
No longer blocks: 245758
Status: REOPENED → RESOLVED
Closed: 20 years ago → 20 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 13•20 years ago
|
||
I grepped through the source for "unescape" and the only other relevant instance I found is in nsRelatedLinksHandler.cpp (I filed bug 245763 about it), which seems to be a copy of the relevant bookmarks code. I'll attach a fix for both, but we probably should add an nsUnescapeHTML2() to nsEscape.cpp?
Comment 14•20 years ago
|
||
Well, you slightly changed the contract of nsEscapeHTML, it used to just escape using entities common to XML and HTML and you've added a HTML-only entity. lsquo really is not the right entity for an apostrophe, it's apos in XML or #039 in both XML and HTML. Is there any reason to not use #039?
Assignee | ||
Comment 15•20 years ago
|
||
> you slightly changed the contract of nsEscapeHTML No, only the impl, i.e. what it does, not what it's supposed to do. > you've added a HTML-only entity <http://www.w3.org/TR/REC-xml/#sec-predefined-ent> shows that ' is probably the right replacement. REOPENing.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 16•20 years ago
|
||
Assignee | ||
Updated•20 years ago
|
Attachment #150180 -
Flags: superreview?(jst)
Attachment #150180 -
Flags: review?(darin)
Comment 17•20 years ago
|
||
Comment on attachment 150180 [details] [diff] [review] Fix, v3 - use #39 instead of lsquo r+sr=jst
Attachment #150180 -
Flags: superreview?(jst)
Attachment #150180 -
Flags: superreview+
Attachment #150180 -
Flags: review?(darin)
Attachment #150180 -
Flags: review+
Assignee | ||
Comment 18•20 years ago
|
||
Fix v3 checked in. Marking FIXED again.
Status: REOPENED → RESOLVED
Closed: 20 years ago → 20 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•