Re: [Cppcms-users] About escape filter
Brought to you by:
artyom-beilis
Menu
▾
▴
Re: [Cppcms-users] About escape filter
|
From: Artyom B. <art...@ya...> - 2015-12-19 09:12:59
|
Actually you bringing relevant points. Also AFAIK rss is XML and default escaping should work.Escaping '\'' in general isn't required for HTML unless you use variables in attributes quoted with single quote. So probably I'll extend default filter to filter quote mark as well. Also I don'tthink it is actually real issue but may be somewhat misleading. Nevertheless remember you can always define your own filters for your specific cases:http://cppcms.com/wikipp/en/page/cppcms_1x_templates_comm#Description Also note I'm planning to add more filters like filter for json/javascript and I'm planning to add "default filter scope or something like that" <% filter json %><script> alert("<%= message %>");</script><% end filter %> I have just added scoped filter into to-do list for CppCMS 1.1 Artyom Beilis From: redred77 <red...@gm...> To: cpp...@li... Sent: Thursday, December 17, 2015 4:58 PM Subject: [Cppcms-users] About escape filter 1. I know that there is escape filter in cppcms already, but I found that sometimes it's not enough. According to rss validator, and rss spec, < > " & characters must be escaped to hex. validator : https://validator.w3.org/feed/rss spec : http://www.rssboard.org/rss-profile#data-types-characterdata A publisher SHOULD encode "&" and "<" in plain text using hexadecimal character references. When encoding the ">" character, a publisher SHOULD use the hexadecimal reference >. Using hex code is for compatibility reason, but many rss reader programs don't recognize " still. For example, SNS management site hootsuite.com's internal rss reader takes some feed as invalid when " character is in title tag. Actually they don't need to update the rss reader because the spec says it should be hex encoded. So, I would like to suggest adding encode_hex like method. It is essential when publishing rss feed from website. 2. Escaping (') apostrophe (single quote) character. PHP's htmlspecialchars() function escapes apostrophe (single quote) when such flag is set. http://php.net/manual/en/function.htmlspecialchars.php Also here are 5 item that are XML, HTML predefined entities.https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#Predefined_entities_in_XML I can think of some situations that user input may harm the website when single quote is not escaped since web developers may use single quote at double quote places. Especially, with javascript I prefer to use single quote over double quote. For security, I would like to suggest apostrophe must be escaped. 3. I copied from existing cppcms source code and made similar escape method which escapes xml entities to hex and single quote (apostrophe) std::string util::escape_hex(std::string const &s){ std::string content; unsigned i, len = s.size(); content.reserve(len * 3 / 2); for (i = 0; i<len; i++) { char c = s[i]; switch (c){ case '<': content += "<"; break; case '>': content += ">"; break; case '&': content += "&"; break; case '\"': content += """; break; case '\'': content += "'"; break; default: content += c; } } return content;} It works as intended. Original source code is stable, and I just modified some. 4. I want to discuss adding new escape method, and about apostrophe. And I want to know if there's some issues that I didn't know. Thanks. ------------------------------------------------------------------------------ _______________________________________________ Cppcms-users mailing list Cpp...@li... https://lists.sourceforge.net/lists/listinfo/cppcms-users |
