Closed Bug 51355 Opened 24 years ago Closed 23 years ago

moz escapes javascript: urls containing non-ascii chars

Categories

(Core :: DOM: HTML Parser, defect, P2)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.2

People

(Reporter: mikko.rantalainen, Assigned: nhottanscp)

References

Details

(Keywords: highrisk, intl, Whiteboard: [PDT+]wait for tree open to check in)

Attachments

(11 files)

Attaching the reporter's HTML test case here -
220 bytes, text/html
Details
nbsp html entity in url
229 bytes, text/html
Details
extended testcase
1.13 KB, text/html
Details
Patch, use UTF-8 if the URI shcheme is 'javascript', changed files where ASCII is assumened for URI to UTF-8.
4.68 KB, patch
Details | Diff | Splinter Review
Patch, updated with jst's comment (diff -uw).
2.27 KB, patch
Details | Diff | Splinter Review
Patch, updated with jst's comment (diff -uw), ignore the last patch, I put a wrong one.
4.50 KB, patch
Details | Diff | Splinter Review
Patch, updated with the 2nd jst's comment (diff -uw).
4.55 KB, patch
Details | Diff | Splinter Review
Patch, removed "pos != -1" check.
4.52 KB, patch
Details | Diff | Splinter Review
Patch, localized change to only modify nsHTMLUtils.cpp.
1.65 KB, patch
Details | Diff | Splinter Review
Patch, updated with ftang's suggestion.
1.64 KB, patch
Details | Diff | Splinter Review
Patch, updated with the suggestions (diff -uw)
1.69 KB, patch
Details | Diff | Splinter Review 
Any "special" character in href causes javascript to fail because browser
escapes all "special" characters. Following code works in Netscape Communicator
4.73 but two last fail under mozilla (build ID:2000090421 - quite probably
others builds too).

<html>
<a href='javascript:alert("Hello World!")'>Hello World!</a><br>
<a href='javascript:alert("Hello Wörld!")'>Hello Wörld!</a><br>
<a href='javascript:alert("Hello W&#246;rld!")'>Hello W&#246;rld!</a><br> </html>

As seen in the status bar mozilla translates second and third href as
'javascript:alert(%22Hello%20W%F6rld!%22)' which doesn't work. I'm not sure
whether the second href should work or not but IMHO third one should because I
have escaped &ouml; character. (Escaping " as %22 doesn't make any difference
either).

IMO correct solution would be to use string between " or ' characters in whole
with no other translation but *unescaping* before scripting.
Even NN4.73, if you type this into the URL bar:

              javascript:alert("Hello W&#246;rld!");

it doesn't work. There seems to be browser code that escapes the
characters if they are part of HTML. Therefore I'm sending this bug
over to the Parser component for further triage, as it doesn't seem
to be a JS Engine issue -
Assignee: rogerl → rickg
Status: UNCONFIRMED → NEW
Component: Javascript Engine → Parser
Ever confirmed: true
QA Contact: pschwartau → janc
I don't believe we plan to support javascript in attributes. 
Vidur?
marking wont fix, since I don't think we're supporting js attributes.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → WONTFIX
javascript: in a href is not the same as JavaScript entities. We're not 
supporting the latter. The former should and does work. The entities and Unicode 
characters in the attributes in the examples shown should be correctly 
preserved.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Vidur's right, my mistake. Note that the parsing engine is passing the href's 
along unchanged. I suspect the culprit is either the link handling code or the 
sink. I'll dig a bit more.
Status: REOPENED → ASSIGNED
I've now confirmed that the javascript attributes are being parsed and stored as 
written. I now suspect that the anchor handling code is converting these before 
showing them.
Reassigning to trudele for triage. I think the content model is well formed, and 
that the problem is in the link handling code.
Assignee: rickg → trudelle
Status: ASSIGNED → NEW
Keywords: nsbeta3
Priority: P3 → P2
Thanks to billlaw, I've tracked this down to nsIOService::Escape(). The valid 
nsString is being converted to a whacky C-String (hence the %20's). Please take 
a look.
Assignee: trudelle → warren
Note: this may also be the solution to bug 40469 (-?)
The problem specifically is the use of Escape here: 
http://lxr.mozilla.org/seamonkey/source/layout/html/content/src/nsHTMLUtils.cpp#
150

We are converting all questionable characters in the string to their escaped 
values. Probably what we should do is construct the appropriate kind of url for 
the protocol in question (here, javascript:), and let the protocol's url parser 
deal with the escaping (if necessary). For javascript: we'll want to escape the 
things inside the quotes (I think), but not the entire url string. For "standard 
URLs" (most of the other protocols) we'll escape according to their rules.
Not working on any platform:
2000-10-05-09-MN6 : Windows
2000-10-05-13-MN6 : Mac
2000-10-05-09-MN6 : Linux
 
Changing platform/os to all/all

Nominating for rtm
Keywords: rtm
OS: Linux → All
Hardware: PC → All
Warren, is there a trivial fix for this?  This bug has languished almost a month
in the rtm nomination state.  If we don't need this for rtm, please mark it rtm-.
Whiteboard: [need info]
rtm-, no activity.  please update the bug if you're actually working on it.
Whiteboard: [need info] → [rtm-]
Even a classic non breakable space html entity gives same wrong behavior.  
Try this (attached next) : 
<html><head><title>non breakable space</title></head><body>
<a href='javascript:alert("Hello&nbsp;World!")'>Hello&nbsp;World!</a><br>
or<br>
<a href="javascript:alert('Hello&nbsp;World!')">Hello&nbsp;World!</a>
</body></html>

    
    

    
  
updated qa contact.
QA Contact: janc → bsharma

    
    

    
  
*** Bug 75542 has been marked as a duplicate of this bug. ***

    
    

    
  
The escapes are part of the URL syntax, so it should be just as valid if the
page contained the escaped characters.  Isn't the problem really that
something needs to unescape them?

    
    

    
  
Reassigning to component's default owner. Warren, hope you don't mind.
Assignee: warren → harishd

    
    

    
  
The problem is either in the JS engine or in layout.

Reassigning bug to waterson. ccing attinasi & rogerl
Assignee: harishd → waterson

    
    

    
  
*** Bug 77043 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 60576 has been marked as a duplicate of this bug. ***

    
    

    
  

      
      
      
      

        Attached file
          
        extended testcase
      

    


  

    
    

    
  
*** Bug 55468 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 63314 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 66055 has been marked as a duplicate of this bug. ***

    
    

    
  
cc jst@netscape.com,ftang@netscape.com since I'm copying their comments from 
duplicate bugs.  (pschwartau@netscape.com and jag@tty.nl are already cc'ed 
here.)


From bug 55468:

------- Additional Comments From Johnny Stenback 2000-11-21 02:01 -------

Mozilla's javascript: URL handling is a mess, we escape the non-ASCII characters
in their original charset but we never unescape them - also, the escaped URL has
no charset info in it so even if we did unescape the JS URL before executing it
there's no way to know what charset the URL is encoded as... oh my



From bug 66055:

------- Additional Comments From Frank Tang 2001-01-30 11:32 -------

We probably don't care if this only a issue in alert. But I think the alert here
is just use as a simplified test case. The real problem is these JavaScript is
inside the HREF. We escape them since other URL need to be escaped but we didn't
consider the case for JavaScript. What we should do is find out the code between
the layout engine and the javaScript code and unescape it back by using the
document charset.

I think this bug is in the border line of fixing or not fixing. Let's keep this
as future untill we find breakage in the real world case.



From bug 63314:

------- Additional Comments From Peter ``jag'' Annema 2000-12-19 12:29 -------

Actually, this should be escaped (it's supposed to be an URI[0]), so I guess it 
should be unescaped before handing it to the JS engine. I strongly suspect this 
to be a dupe of an existing bug.

[0] http://www.w3.org/TR/html4/struct/links.html#adef-href


------- Additional Comments From Phil Schwartau 2001-04-26 11:06 -------

This WW3 link may be of interest:

     http://www.w3.org/TR/html4/appendix/notes.html#non-ascii-chars
Keywords: 4xp, 
          
            intl
Summary: "javascript:code" doesn't work in hrefs properly → moz escapes javascript: urls containing non-ascii chars

    
    

    
  
cc jst@netscape.com,ftang@netscape.com since I just copied their comments from 
duplicate bugs.

    
    

    
  
My attached testcase doesn't cover:
- %hh in javascript: URLs that contain non-ascii characters
- %hh in javascript: URLs that do not contain non-ascii characters
- unescaping with the correct charset (?) (from bug 55468)
Keywords: mozilla1.0

    
    

    
  
*** Bug 69043 has been marked as a duplicate of this bug. ***

    
  
Keywords: mostfreq

    
    

    
  
*** Bug 79602 has been marked as a duplicate of this bug. ***

    
    

    
  
How did I get this bug?
Assignee: waterson → harishd

    
    

    
  
The problem seems to be around line: 150 in nsHTMLUtils.cpp ( what rickg had 
pointed out ).

http://lxr.mozilla.org/seamonkey/source/content/html/content/src/nsHTMLUtils.cpp
#150

Back to waterson :-)

Assignee: harishd → waterson

    
    

    
  
This should probably go to ftang.
Assignee: waterson → ftang

    
    

    
  
nhotta- can you help this one?
Assignee: ftang → nhotta

    
    

    
  
I tried additional cases.

<a href='javascript:alert("Hello W\u00F6rld!")'>Hello W&#246;rld!</a><br>
this works.
<a href='javascript:alert("Hello W%F6rld!")'>Hello W&#246;rld!</a><br>
this works but does not unescape "%F6".

Not sure which spec the string should follow, URI, HTML, JS or all?
Is there a spec for the case, href=javascript?
Only \uxxxx seems to be working now.


    
    

    
  
nhotta: try this
 <a href="Hello W&#246;rld">Hello W&#246;rld</a>

    
    

    
  
I tried that (it was in the original report) and it did not work.
I assume "&#246;" is decoded to unicode and if that is escaped to "%F6", it
still should works even if that is not unescaped (as my second example).
I am going to look at the actual value in nsHTMLUtils.cpp.
But I would like to know what is really allowed in that string (%xx, \uxxxx,
&#xxx;).

    
    

    
  
I looked at the value, that was "%22Hello%20W%F6rld!%22" as mentioned in the
original report.
So it has to be unescaped before passed to JavaScript. The problem is when
unescape and convert to unicode, you don't know about the charset.

There is a proposal of adding a hint_charset field to nsIURI. It also proposes
to use UTF-8, so the current conversion and escape code may not be needed, you
just need to set the hint_charset and call NS_ConvertUCS2toUTF8.
It was posted on 5/11/2001 to n.p.m.netlib, cc to people from that post. Is
there a bug for that proposal?


    
  
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.2

    
    

    
  
Filed bug 84032 for adding "hint_charset" to nsIURI.


    
    

    
  
Asked jst and rpotts for reviews.


    
    

    
  
Should charset conversion apply to all new protocols by default?  CF bug 81717
(converting \ to / in links should happen for only http,https,ftp rather than
everything except javascript).

    
    

    
  
I had a look at the attached patch and there's a bunch of issues with this patch:

In nsGenericHTMLElement.cpp:

       nsAutoString href;
-      href.AssignWithConversion(hrefCStr);
+      href = NS_ConvertUTF8toUCS2(hrefCStr);

If you'd make this:

-      nsAutoString href;
-      href.AssignWithConversion(hrefCStr);
+      NS_ConvertUTF8toUCS2 href(hrefCStr);

you'd save a string copy, no?

The changes in nsHTMLUtils.cpp seem like major overkill to me, we convert a
unicode string into a utf8 cstring (and this conversion is very likely to end up
doing an malloc since URL's are often longer than what fits in nsAutoString's
internal buffer) and then create a new URI object and parse the whole URI string
only to find out if the URI string starts with "javascript:"? Wouldn't simple
string manipulation be more efficient (and less code) here?

Oh, is the attached patch a cvs diff -w? If not you better fix the indentation
in nsHTMLUtils.cpp:

+    if (bIsJavascript) {
+      spec = utf8Spec;
+    }
+    else {
     // Otherwise, we'll need to use aDocument to cough up a character
     // set converter, and re-encode the relative portion of the URL as
     ...
     ^
     |____ indent!

nsInputStreamChannel.cpp, can this get more inefficient? :-)

     nsString name;
-    name.AppendWithConversion(urlStr);
+    name.Append(NS_ConvertUTF8toUCS2(urlStr));
     *result = name.ToNewUnicode();

How about:

-    nsString name;
-    name.AppendWithConversion(urlStr);
-    *result = name.ToNewUnicode();
+    *result = ToNewUnicode(NS_ConvertUTF8toUCS2(urlStr));

in nsSimpleURI::SetSpec():

     nsAutoString spec;
-    spec.AssignWithConversion(aSpec);
+    spec = NS_ConvertUTF8toUCS2(aSpec);

Any reason to not make 'spec' be of type NS_ConvertUTF8toUCS2 in stead of being
of type nsAutoString?

nsJSProtocolHandler.cpp:

         nsAutoString scriptString;
-        scriptString.AssignWithConversion(script);
+        scriptString.Assign(NS_ConvertUTF8toUCS2(script));
         rv = scriptContext->EvaluateString(scriptString,

Why not:

-        nsAutoString scriptString;
-        scriptString.AssignWithConversion(script);
+        NS_ConvertUTF8toUCS2 scriptString(script);
         rv = scriptContext->EvaluateString(scriptString,

Fix those issues and I'll have one more look...

    
    

    
  
Jesse, I am not clear about your question. Charset conversion does not convert \
to /, that unrelated.

    
    

    
  
Much better! One more thing, in nsHTMLUtils.cpp:

+    PRInt32 pos = aSpec.Find(":");
+    nsAutoString scheme;
+    if ((pos != -1) &&
+        (aSpec.Left(scheme, pos) != -1) &&
+         scheme.EqualsIgnoreCase("javascript")) {
+      spec.Assign(NS_ConvertUCS2toUTF8(aSpec.GetUnicode()));
+    }

This code will end up doing aSpec.Left() and scheme.EqualsIgnoreCase() for every
URL when we could limit the cases to where the ':' is found at the right place,
i.e. if ((pos == nsCRT::strlen("javascript")) && ...), or something like that.

Oh, and use aSpec.FindChar(':') when looking for a single character.

Make those changes and you'll have sr=jst

    
    

    
  
That part only executed if the URI contains non ASCII characters. Anyway, faster
is better, I will update the patch.

    
    

    
  
I don't see a reason for the pos != -1 check here, if you're worried about the
performance hit from nsCRT::strlen("javascript") in the cases where a ':' isn't
found in the URI then you could make the check be simply:

  if (pos == 10 /* strlen("javascript") */ &&
      ...

which would be even faster and even less code, and you could actually optimize
this even further by never searching for the ':' character, in stead you could
simply check if the 10th character is a ':' (after making sure the string is
longer than 10 characters) and then do the check if the data before the ':' was
"javascript" or something else, but since this is not performance critical or
anything, I'm ok with this as is, except for the "pos != -1" check. sr=jst if
you remove that check...


    
    

    
  


  

    
    

    
  
sr on the nsSimpleURI and nsInputStreamChannel string changes.  I wonder if 
there are other places in necko that we should be doing this?.  

    
    

    
  
Under mozilla/netwerk, there are
59 of ToNewCstring,
43 of AssignWithConversion,
11 of NS_ConvertASCIItoUCS2

Changing them to ToNewUTF8String, NS_ConvertUTF8toUCS2 would not break ASCII
(UTF-8 is a superset of ASCII), though I am not sure about performance difference.


    
    

    
  
remove the N6 time [rtm-] since it cause confusion.
Whiteboard: [rtm-]

    
  
Blocks: 83989

    
    

    
  
The current patch makes it so javascript: is the only protocol where the URL
isn't subject to charset conversion.  Is this what we want to do, or do we want
to list the protocols that *do* get converted?  (I'm bringing this up because in
bug 81717, another URL conversion, converting \ to /, is being applied to
everything except javascript: and causing data: URLs to break.)

    
    

    
  
>I wonder if 
there are other places in necko that we should be doing this?.  
Let's sperate that into different bug. Let's deal with known issue for now and 
unknown issue later. 


Whiteboard: r/sr=jst+dougt, need a=

    
    

    
  
Jesse, I think it's fine to add other protocols if they also want UTF-8 string.
If there is a specific example, please file a separate bug. Note that protocol
handlers may also need change in order to accept UTF-8 URI.


    
    

    
  
Testing information:
I ran http://www.mozilla.org/quality/precheckin-tests.html which include http
and ftp. Tested links in 4.01 spec http://www.w3.org/TR/html4/.
Also tried non ASCII cases http://www.fcenter.ru/wn/hn02082000.htm to make sure
non javascript case is not affected.


    
    

    
  
Filed separately as bug 85310 about the remaining ToNewCString in necko.


    
    

    
  
pdt+ base on 6/11 pdt meeting.


    
  
Whiteboard: r/sr=jst+dougt, need a= → [PDT+]r/sr=jst+dougt, need a=

    
    

    
  
I review the 06/08/01 10:02 patch, I feel the change is right but have high risk 
except the nsHTMLUtils.cpp part. I afraid this may cause some unknown regression 
since some changs is in the low leverl code. 

In this late cycle, I suggest we hold this patch and ask naoki to work on a work 
around changes which only in nsHTMLUtils.cpp. In the case of JavaScript protocol, 
instead of convert from Unicode to UTF8, we could convert to the javascript 
escape \u for non ASCII data. In this way, we can gunarantee it only impact 
JavaScript protocol but not other code. 

We should definitely consider the rest of the 06/08/01 10:02 patch after we 
branch off from moz.0.9.3. It is safer to test that kind of change in the early 
development cycle. 



    
    

    
  
Adding highrisk and patch keywords based on ftang's comments.
Keywords: highrisk, 
          
            patch

    
    

    
  
Frank reviewed the patch. His comments,
* use nsCRT::IsAscii
* check ECMA script spec for \uxxxx format

    
    

    
  
From the ECMA script spec,
http://www.ecma.ch/ecma1/stand/ecma-262.htm
> UnicodeEscapeSequence :: See 7.6
> \u HexDigit HexDigit HexDigit HexDigit

So it looks like it expects four digits although I didn't find a place which
says it had to be four digits.
I found that the current mozilla does not accept non four digits like \uF6, it
has to be \u00F6.



    
    

    
  
r=ftang


    
    

    
  
I would've put the \u as part of the format string to PR_snprintf() (and made
sure there's room for that too in buf) in stead of first appending \u to the
string and then doing the printf and then appending the result of printf to the
string, that would've been less code, but both ways work.

sr=jst

    
    

    
  
+    nsAutoString scheme;
+    if ((pos == (PRInt32) nsCRT::strlen("javascript")) &&
+        (aSpec.Left(scheme, pos) != -1) &&
+         scheme.EqualsIgnoreCase("javascript")) {

FYI, here's a way to consolidate the string constant and avoid the strlen of
that constant, without wiring in 10 (although 10 is well-known to be the length
of "javascript"!):

+    static const char kJavaScript[] = "javascript";
+    nsAutoString scheme;
+    if ((pos == (PRInt32)(sizeof kJavaScript - 1)) &&
+        (aSpec.Left(scheme, pos) != -1) &&
+         scheme.EqualsIgnoreCase(kJavaScript")) {

I agree with what jst said.  Instead of:

+      char buf[5];
+      spec.Truncate(0);
+      for (const PRUnichar* uch = aSpec.GetUnicode(); *uch; ++uch) {
+        if (!nsCRT::IsAscii(*uch)) {
+          spec.Append("\\u");
+          PR_snprintf(buf, sizeof(buf), "%.4x", *uch);
+          spec.Append(buf);

Why not

+      char buf[6+1];	// space for \uXXXX plus a NUL at the end
+      spec.Truncate(0);
+      for (const PRUnichar* uch = aSpec.GetUnicode(); *uch; ++uch) {
+        if (!nsCRT::IsAscii(*uch)) {
+          PR_snprintf(buf, sizeof(buf), "\\u%.4x", *uch);
+          spec.Append(buf);

/be

    
  
Whiteboard: [PDT+]r/sr=jst+dougt, need a= → [PDT+]need sr=

    
    

    
  
*** Bug 86092 has been marked as a duplicate of this bug. ***

    
    

    
  
sr=jst

    
  
Whiteboard: [PDT+]need sr= → [PDT+]need a=

    
    

    
  
a= asa@mozilla.org for checkin to the trunk.
(on behalf of drivers)

    
  
Whiteboard: [PDT+]need a= → [PDT+]wait for tree open to check in

    
    

    
  
checked in
Status: ASSIGNED → RESOLVED
Closed: 24 years ago23 years ago
Resolution: --- → FIXED

    
    

    
  
I checked now. It work! Thanx!  from Japan

    
    

    
  
verified win2k 2001061905
         macos 2001061908
         linux 2001061914

Status: RESOLVED → VERIFIED

    
    

    
  
*** Bug 88220 has been marked as a duplicate of this bug. ***

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: