Thread: [Cppcms-users] About escape filter
Brought to you by:
artyom-beilis
Menu
▾
▴
cppcms-users
|
From: redred77 <red...@gm...> - 2015-12-17 14:58:18
|
1. I know that there is escape filter in cppcms already, but I found that sometimes it's not enough. According to rss validator, and rss spec, < > " & characters must be escaped to hex. validator : https://validator.w3.org/feed/ rss spec : http://www.rssboard.org/rss-profile#data-types-characterdata A publisher SHOULD encode "&" and "<" in plain text using hexadecimal character references. When encoding the ">" character, a publisher SHOULD use the hexadecimal reference >. Using hex code is for compatibility reason, but many rss reader programs don't recognize " still. For example, SNS management site hootsuite.com's internal rss reader takes some feed as invalid when " character is in title tag. Actually they don't need to update the rss reader because the spec says it should be hex encoded. So, I would like to suggest adding encode_hex like method. It is essential when publishing rss feed from website. 2. Escaping (') apostrophe (single quote) character. PHP's htmlspecialchars() function escapes apostrophe (single quote) when such flag is set. http://php.net/manual/en/function.htmlspecialchars.php Also here are 5 item that are XML, HTML predefined entities. https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#Predefined_entities_in_XML I can think of some situations that user input may harm the website when single quote is not escaped since web developers may use single quote at double quote places. Especially, with javascript I prefer to use single quote over double quote. For security, I would like to suggest apostrophe must be escaped. 3. I copied from existing cppcms source code and made similar escape method which escapes xml entities to hex and single quote (apostrophe) std::string util::escape_hex(std::string const &s) { std::string content; unsigned i, len = s.size(); content.reserve(len * 3 / 2); for (i = 0; i<len; i++) { char c = s[i]; switch (c){ case '<': content += "<"; break; case '>': content += ">"; break; case '&': content += "&"; break; case '\"': content += """; break; case '\'': content += "'"; break; default: content += c; } } return content; } It works as intended. Original source code is stable, and I just modified some. 4. I want to discuss adding new escape method, and about apostrophe. And I want to know if there's some issues that I didn't know. Thanks. |
|
From: Joerg S. <jo...@br...> - 2015-12-17 15:56:10
Attachments:
patch-bin_cppcms__tmpl_cc
|
On Thu, Dec 17, 2015 at 11:58:08PM +0900, redred77 wrote: > 1. I know that there is escape filter in cppcms already, but I found that > sometimes it's not enough. Depending on the output, different filters are needed. You might find something like the attached patch helpful. It allows specifying the default filter on a per-view base. Joerg |
|
From: redred77 <red...@gm...> - 2015-12-18 04:25:28
|
Thanks for your work. 2015. 12. 18. 오전 12:58에 "Joerg Sonnenberger" <jo...@br...>님이 작성: > On Thu, Dec 17, 2015 at 11:58:08PM +0900, redred77 wrote: > > 1. I know that there is escape filter in cppcms already, but I found that > > sometimes it's not enough. > > Depending on the output, different filters are needed. You might find > something like the attached patch helpful. It allows specifying the > default filter on a per-view base. > > Joerg > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Cppcms-users mailing list > Cpp...@li... > https://lists.sourceforge.net/lists/listinfo/cppcms-users > > |
|
From: Artyom B. <art...@ya...> - 2015-12-19 09:12:59
|
Actually you bringing relevant points. Also AFAIK rss is XML and default escaping should work.Escaping '\'' in general isn't required for HTML unless you use variables in attributes quoted with single quote. So probably I'll extend default filter to filter quote mark as well. Also I don'tthink it is actually real issue but may be somewhat misleading. Nevertheless remember you can always define your own filters for your specific cases:http://cppcms.com/wikipp/en/page/cppcms_1x_templates_comm#Description Also note I'm planning to add more filters like filter for json/javascript and I'm planning to add "default filter scope or something like that" <% filter json %><script> alert("<%= message %>");</script><% end filter %> I have just added scoped filter into to-do list for CppCMS 1.1 Artyom Beilis From: redred77 <red...@gm...> To: cpp...@li... Sent: Thursday, December 17, 2015 4:58 PM Subject: [Cppcms-users] About escape filter 1. I know that there is escape filter in cppcms already, but I found that sometimes it's not enough. According to rss validator, and rss spec, < > " & characters must be escaped to hex. validator : https://validator.w3.org/feed/rss spec : http://www.rssboard.org/rss-profile#data-types-characterdata A publisher SHOULD encode "&" and "<" in plain text using hexadecimal character references. When encoding the ">" character, a publisher SHOULD use the hexadecimal reference >. Using hex code is for compatibility reason, but many rss reader programs don't recognize " still. For example, SNS management site hootsuite.com's internal rss reader takes some feed as invalid when " character is in title tag. Actually they don't need to update the rss reader because the spec says it should be hex encoded. So, I would like to suggest adding encode_hex like method. It is essential when publishing rss feed from website. 2. Escaping (') apostrophe (single quote) character. PHP's htmlspecialchars() function escapes apostrophe (single quote) when such flag is set. http://php.net/manual/en/function.htmlspecialchars.php Also here are 5 item that are XML, HTML predefined entities.https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#Predefined_entities_in_XML I can think of some situations that user input may harm the website when single quote is not escaped since web developers may use single quote at double quote places. Especially, with javascript I prefer to use single quote over double quote. For security, I would like to suggest apostrophe must be escaped. 3. I copied from existing cppcms source code and made similar escape method which escapes xml entities to hex and single quote (apostrophe) std::string util::escape_hex(std::string const &s){ std::string content; unsigned i, len = s.size(); content.reserve(len * 3 / 2); for (i = 0; i<len; i++) { char c = s[i]; switch (c){ case '<': content += "<"; break; case '>': content += ">"; break; case '&': content += "&"; break; case '\"': content += """; break; case '\'': content += "'"; break; default: content += c; } } return content;} It works as intended. Original source code is stable, and I just modified some. 4. I want to discuss adding new escape method, and about apostrophe. And I want to know if there's some issues that I didn't know. Thanks. ------------------------------------------------------------------------------ _______________________________________________ Cppcms-users mailing list Cpp...@li... https://lists.sourceforge.net/lists/listinfo/cppcms-users |
|
From: redred77 <red...@gm...> - 2015-12-22 02:22:31
|
Thanks. Really appreciated with good project. 2015. 12. 19. 오후 6:13에 "Artyom Beilis" <art...@ya...>님이 작성: > Actually you bringing relevant points. > > Also AFAIK rss is XML and default escaping should work. > Escaping '\'' in general isn't required for HTML unless you use variables > in attributes quoted with > single quote. So probably I'll extend default filter to filter quote mark > as well. Also I don't > think it is actually real issue but may be somewhat misleading. > > Nevertheless remember you can always define your own filters for your > specific cases: > http://cppcms.com/wikipp/en/page/cppcms_1x_templates_comm#Description > > Also note I'm planning to add more filters like filter for json/javascript > and I'm planning to add "default filter scope or something like that" > > <% filter json %> > <script> > alert("<%= message %>"); > </script> > <% end filter %> > > I have just added scoped filter into to-do list for CppCMS 1.1 > > Artyom Beilis > > > ------------------------------ > *From:* redred77 <red...@gm...> > *To:* cpp...@li... > *Sent:* Thursday, December 17, 2015 4:58 PM > *Subject:* [Cppcms-users] About escape filter > > 1. I know that there is escape filter in cppcms already, but I found that > sometimes it's not enough. > > According to rss validator, and rss spec, < > " & characters must be > escaped to hex. > > validator : https://validator.w3.org/feed/ > rss spec : http://www.rssboard.org/rss-profile#data-types-characterdata > > A publisher SHOULD encode "&" and "<" in plain text using hexadecimal > character references. When encoding the ">" character, a publisher SHOULD use > the hexadecimal reference >. > > Using hex code is for compatibility reason, but many rss reader programs > don't recognize " still. For example, SNS management site > hootsuite.com's internal rss reader takes some feed as invalid when > " character is in title tag. Actually they don't need to update the > rss reader because the spec says it should be hex encoded. > > So, I would like to suggest adding encode_hex like method. It is essential > when publishing rss feed from website. > > > > 2. Escaping (') apostrophe (single quote) character. > > PHP's htmlspecialchars() function escapes apostrophe (single quote) when > such flag is set. > http://php.net/manual/en/function.htmlspecialchars.php > > Also here are 5 item that are XML, HTML predefined entities. > > https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#Predefined_entities_in_XML > > I can think of some situations that user input may harm the website when > single quote is not escaped since web developers may use single quote at > double quote places. Especially, with javascript I prefer to use single > quote over double quote. > > For security, I would like to suggest apostrophe must be escaped. > > > > 3. I copied from existing cppcms source code and made similar escape > method which escapes xml entities to hex and single quote (apostrophe) > > > std::string util::escape_hex(std::string const &s) > { > std::string content; > unsigned i, len = s.size(); > content.reserve(len * 3 / 2); > for (i = 0; i<len; i++) { > char c = s[i]; > switch (c){ > case '<': content += "<"; break; > case '>': content += ">"; break; > case '&': content += "&"; break; > case '\"': content += """; break; > case '\'': content += "'"; break; > default: content += c; > } > } > return content; > } > > > It works as intended. Original source code is stable, and I just modified > some. > > > > 4. I want to discuss adding new escape method, and about apostrophe. And I > want to know if there's some issues that I didn't know. > > > Thanks. > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Cppcms-users mailing list > Cpp...@li... > https://lists.sourceforge.net/lists/listinfo/cppcms-users > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Cppcms-users mailing list > Cpp...@li... > https://lists.sourceforge.net/lists/listinfo/cppcms-users > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X