Re: [Cppcms-users] About escape filter
Brought to you by:
artyom-beilis
Menu
▾
▴
Re: [Cppcms-users] About escape filter
|
From: redred77 <red...@gm...> - 2015-12-22 02:22:31
|
Thanks. Really appreciated with good project. 2015. 12. 19. 오후 6:13에 "Artyom Beilis" <art...@ya...>님이 작성: > Actually you bringing relevant points. > > Also AFAIK rss is XML and default escaping should work. > Escaping '\'' in general isn't required for HTML unless you use variables > in attributes quoted with > single quote. So probably I'll extend default filter to filter quote mark > as well. Also I don't > think it is actually real issue but may be somewhat misleading. > > Nevertheless remember you can always define your own filters for your > specific cases: > http://cppcms.com/wikipp/en/page/cppcms_1x_templates_comm#Description > > Also note I'm planning to add more filters like filter for json/javascript > and I'm planning to add "default filter scope or something like that" > > <% filter json %> > <script> > alert("<%= message %>"); > </script> > <% end filter %> > > I have just added scoped filter into to-do list for CppCMS 1.1 > > Artyom Beilis > > > ------------------------------ > *From:* redred77 <red...@gm...> > *To:* cpp...@li... > *Sent:* Thursday, December 17, 2015 4:58 PM > *Subject:* [Cppcms-users] About escape filter > > 1. I know that there is escape filter in cppcms already, but I found that > sometimes it's not enough. > > According to rss validator, and rss spec, < > " & characters must be > escaped to hex. > > validator : https://validator.w3.org/feed/ > rss spec : http://www.rssboard.org/rss-profile#data-types-characterdata > > A publisher SHOULD encode "&" and "<" in plain text using hexadecimal > character references. When encoding the ">" character, a publisher SHOULD use > the hexadecimal reference >. > > Using hex code is for compatibility reason, but many rss reader programs > don't recognize " still. For example, SNS management site > hootsuite.com's internal rss reader takes some feed as invalid when > " character is in title tag. Actually they don't need to update the > rss reader because the spec says it should be hex encoded. > > So, I would like to suggest adding encode_hex like method. It is essential > when publishing rss feed from website. > > > > 2. Escaping (') apostrophe (single quote) character. > > PHP's htmlspecialchars() function escapes apostrophe (single quote) when > such flag is set. > http://php.net/manual/en/function.htmlspecialchars.php > > Also here are 5 item that are XML, HTML predefined entities. > > https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#Predefined_entities_in_XML > > I can think of some situations that user input may harm the website when > single quote is not escaped since web developers may use single quote at > double quote places. Especially, with javascript I prefer to use single > quote over double quote. > > For security, I would like to suggest apostrophe must be escaped. > > > > 3. I copied from existing cppcms source code and made similar escape > method which escapes xml entities to hex and single quote (apostrophe) > > > std::string util::escape_hex(std::string const &s) > { > std::string content; > unsigned i, len = s.size(); > content.reserve(len * 3 / 2); > for (i = 0; i<len; i++) { > char c = s[i]; > switch (c){ > case '<': content += "<"; break; > case '>': content += ">"; break; > case '&': content += "&"; break; > case '\"': content += """; break; > case '\'': content += "'"; break; > default: content += c; > } > } > return content; > } > > > It works as intended. Original source code is stable, and I just modified > some. > > > > 4. I want to discuss adding new escape method, and about apostrophe. And I > want to know if there's some issues that I didn't know. > > > Thanks. > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Cppcms-users mailing list > Cpp...@li... > https://lists.sourceforge.net/lists/listinfo/cppcms-users > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Cppcms-users mailing list > Cpp...@li... > https://lists.sourceforge.net/lists/listinfo/cppcms-users > > |
