If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

'<' and '>' not escaped in attributes when getting .innerHTML on an HTML element in an HTML document




5 years ago
5 years ago


(Reporter: Mathieu De Kermadec, Unassigned)


({regression, testcase})

15 Branch
regression, testcase

Firefox Tracking Flags

(firefox15-, firefox16-, firefox17-, firefox18-)


(Whiteboard: invalid?)


(1 attachment)



5 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20100101 Firefox/15.0
Build ID: 20120824154833

Steps to reproduce:

first I parse an xml string in javascript.
then I add an atribute with special characters to one node of this xml document.
I transform this xml document into a string.

Here is a snippet to reproduce: http://jsfiddle.net/F8Pgk/

Actual results:

attribute of the xml document are not escaped:

<val pilou="<toto>&amp;" attr="<popo"></val>

Expected results:

<val attr="&lt;popo" pilou="&lt;toto&gt;&amp;"></val>

Comment 1

5 years ago
Created attachment 658679 [details]
Reporter's testcase

In previous versions of Firefox, the result was:
<val pilou="&lt;toto&gt;&amp;" attr="&lt;popo"></val>
(that's pretty similar to:
<val attr="&lt;popo" pilou="&lt;toto&gt;&amp;"></val>
(inversed parts)

Now since FF15, the result is:
<val pilou="<toto>&amp;" attr="<popo"></val>

Regression range:



It needs more investigation.


5 years ago
Keywords: regression, testcase


5 years ago
tracking-firefox15: --- → ?
tracking-firefox16: --- → ?
tracking-firefox17: --- → ?
tracking-firefox18: --- → ?
while this is a recent regression , is this a critical user facing issue ?

Comment 3

5 years ago
I think that it can broke compatibility with some services.

In my case, I send with ajax a xml file to a php file.

With this issue, php can't parse my xml file as it said it's not valid xml.

Fortunately it's not common to have special characters in xml attribute, but still it can happen ... as it happen to me.
CCing Cheng, Matt, and Tyler - are we getting much report about this in SUMO or input that would suggest this is something to do another respin of mobile 15 for?  I suspect it's not, and we can wait to investigate this for Beta/Aurora - but would like confirmation.
I did some digging on input and it seems to be fairly isolated. I haven't seen anything on SUMO. My instincts say we can wait. I'll do some more digging on Monday to see if the landscape changes.
Can we get a bisection here and figure out what bug caused this?
status-firefox16: --- → affected
status-firefox17: --- → affected
status-firefox18: --- → affected
tracking-firefox15: ? → -
tracking-firefox16: ? → +
tracking-firefox17: ? → +
tracking-firefox18: ? → +
Keywords: qawanted
I confirm the results in comment 1 on Win 7 x64 on FF 15.0.1 and 16b2. Dropping qawanted since there is already a reproducible testcase for this bug.
Component: Untriaged → XML
Ever confirmed: true
OS: Mac OS X → All
Product: Firefox → Core
Hardware: x86 → All
Keywords: qawanted

Comment 8

5 years ago
Regression window(m-c)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120601025002
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120601035703

Triggered by: Bug 744830


5 years ago
Blocks: 744830
There is no XML anywhere here.  JQuery's $() just parses things as HTML in the context of the current HTML document.

So the testcase is producing an HTML fragment, then serializing it using innerHTML.  That should run http://www.whatwg.org/specs/web-apps/current-work/multipage/the-end.html#html-fragment-serialization-algorithm which says:

  For each attribute that the element has ... the attribute's value, escaped as described
  below in attribute mode

which links to http://www.whatwg.org/specs/web-apps/current-work/multipage/the-end.html#escapingString which says that '<' and '>' are only escaped NOT in attribute mode.

So the new behavior is the one the spec calls for.

It's also the behavior that Opera has.  WebKit does escape the '<' and '>' when getting innerHTML.

It's worth looking into whether the spec needs changing here, I guess.  But Mathieu, you are NOT serializing things as XML here, so any ability you had to pass the result to an XML parser was a complete accident.
Component: XML → Serializers
Summary: xml attribute with special characters not properly escaped → '<' and '>' not escaped in attributes when getting .innerHTML on an HTML element in an HTML document
Whiteboard: invalid?
What does IE do?
IE seems to work like Gecko and Presto, and they all do what the spec says.
Webkit does something different.
Last Resolved: 5 years ago
Resolution: --- → INVALID

Comment 12

5 years ago
IE10, maybe but not IE9:
<val attr="<popo" pilou="<toto>&amp;"></val>
That is just different order of attributes, not different handling for < and >, which this bug
is about.
status-firefox16: affected → ---
status-firefox17: affected → ---
status-firefox18: affected → ---
tracking-firefox16: + → -
tracking-firefox17: + → -
tracking-firefox18: + → -
(In reply to Boris Zbarsky (:bz) from comment #9)
> WebKit does escape the '<' and '>'
> when getting innerHTML.

For the record: Not if the attribute reflects as a URL and contains a javascript: URL.
Duplicate of this bug: 813441
You need to log in before you can comment on or make changes to this bug.