You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Marcin Kasperski <Ma...@acn.waw.pl> on 2002/11/08 22:23:26 UTC
[mp-1 ?] Apache::Util::escape_html could handle single quotation
I use Apache::Util::escape_html to perform fast HTML-escaping of the
data before displaying it. Unfortunately, this function handles
<, >, & and " but does not handle ' (single quote) - which
can be escaped as '
It would be nice if apos was handled. After all, in HTML file it is
almost equivalent to double quote (it is only the matter of style
whether one uses <a href="some url"> or <a href='some url'>).
Moreover, there happen situation where on can not change quotation
model like in (adapted real example I happened to have trouble with):
<a href="javascript:somefun('[%some_var%]')">
(where some_var is a variable escaped with escape_html and unfortunately
it can happen to contain apostrophe mark)
It seems to me that it would suffice to slightly change the
function my_escape_html in src/modules/perl/Util.xs by
adding new else-if in both if sequences.
PS I do not know how the thing looks in modperl-2 but in case there is
similar problem, I would suggest similar solution.
--
( Marcin Kasperski | A reusable framework that is developed by itself will )
( http://www.mk.w.pl | probably not be very reusable. (Martin) )
(----------------------------------------------------------------------------)
( Z kartÄ… bezpieczniej? http://www.mk.w.pl/artykuly/karty_niebezpieczenstwa )
Re: [mp-1 ?] Apache::Util::escape_html could handle single quotation
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
Marcin Kasperski wrote:
>>namely "i had a bad feeling about this. we should not be implementing
>>escape_html to begin with, the functionality should all be in apache."
>>(...)
>
>
> The main point in this case: someone decided to escape " (double
> quote) in escape_html. For HTML, ' (single quote) is practically
> equivalent (and can be used at the same places for the same
> purpose). I see no reason to differentiate handling of single and
> double quote while generating HTML pages.
>
> The reason to use escape_html vs HTML::Entities is clear - the
> speed. And at least in my case one needs to escape just <, >, &, " and '
> - the characters which can spoil the way browser interprets HTML.
very well. I'll submit something to modperl-dev later today and we'll
see how the vote falls :)
--Geoff
Re: [mp-1 ?] Apache::Util::escape_html could handle single quotation
Posted by Marcin Kasperski <Ma...@acn.waw.pl>.
> namely "i had a bad feeling about this. we should not be implementing
> escape_html to begin with, the functionality should all be in apache."
> (...)
The main point in this case: someone decided to escape " (double
quote) in escape_html. For HTML, ' (single quote) is practically
equivalent (and can be used at the same places for the same
purpose). I see no reason to differentiate handling of single and
double quote while generating HTML pages.
The reason to use escape_html vs HTML::Entities is clear - the
speed. And at least in my case one needs to escape just <, >, &, " and '
- the characters which can spoil the way browser interprets HTML.
--
( Marcin Kasperski | Software is not released, it is allowed to escape. )
( http://www.mk.w.pl | )
(----------------------------------------------------------------------------)
( Moje prywatne strony: http://www.kasperski.prv.pl )
Re: [mp-1 ?] Apache::Util::escape_html could handle single quotation
Posted by Marcin Kasperski <Ma...@acn.waw.pl>.
> some of us on modperl-dev had a discussion with Doug recently about
> expanding Apache::Util::escape_html() to do things like HTML::Entities
> (such as high-bit characters) and it was decided it was a bad idea.
> see:
> http://marc.theaimsgroup.com/?l=apache-modperl-cvs&m=101708056429561&w=2
> and doug's reply:
> http://marc.theaimsgroup.com/?l=apache-modperl-dev&m=101708105030300&w=2
One additional remark: while suggesting escaping of single quote, I'd
vote against escaping national characters in escape HTML. For
instance, I generate iso-8859-2 encoded Polish pages and I want my
national characters to be left as-is while the text is escaped...
To end the whole argumentation: I suggest escaping ' as this character
is unsafe in HTML. Simultaneously, I suggest keeping advanced entities
out of this utility function.
Re: [mp-1 ?] Apache::Util::escape_html could handle single quotation
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
>
>
> Two patches, one for t/net/util.pl and one for src/modules/perl/Util.xs.
> Apply them from the root of the untarred source.
cool, thanks.
you know, the test compares the results of Apache::Util::escape_html()
to HTML::Entities::encode, both of which do not translate ' into &apos
by default.
some of us on modperl-dev had a discussion with Doug recently about
expanding Apache::Util::escape_html() to do things like HTML::Entities
(such as high-bit characters) and it was decided it was a bad idea.
see:
http://marc.theaimsgroup.com/?l=apache-modperl-cvs&m=101708056429561&w=2
and doug's reply:
http://marc.theaimsgroup.com/?l=apache-modperl-dev&m=101708105030300&w=2
namely "i had a bad feeling about this. we should not be implementing
escape_html to begin with, the functionality should all be in apache."
so... I could work this up and submit it, but I doubt that it would
make it in to core, especially since it goes above and beyond
HTML::Entities (the standard AFAICT).
if you really need single quotes escaped, you could always change
calls to Apache::Util::escape_html() to
HTML::Entities::encode_entities() and pass it your special escapes:
use HTML::Entities qw(encode_entities);
my $bad = qq!some unescaped 'quotes'!;
my $good = encode_entities($bad, qq!'!);
print "$good\n";
HTH
--Geoff
Re: [mp-1 ?] Apache::Util::escape_html could handle single quotation
Posted by darren chamberlain <dl...@users.sourceforge.net>.
* Geoffrey Young <ge...@modperlcookbook.org> [2002-11-11 13:16]:
> > (oh, maybe someone could consider also adding some test case to
> > t/net/perl/util.pl but it does not seem to be very important)
>
> tests are always important :)
>
> > > I'm think that, with mod_perl 2.0, mod_perl 1.x might not be high on
> > > maintainer's list of stuff to do
>
> sorry, but I haven't been following too closely lately.
>
> if you can provide a final patch to Util.xs and util.pl and they past
> muster with the rest of the committers, I'll see that they get
> integrated into CVS 'soonish'
Two patches, one for t/net/util.pl and one for src/modules/perl/Util.xs.
Apply them from the root of the untarred source.
(darren)
--
Of all the strange 'crimes' that human beings have legislated out of
nothing, 'blasphemy' is the most amazing--with 'obscenity' and 'indecent
exposure' fighting it out for second and third place.
-- Lazarus Long
Re: [mp-1 ?] Apache::Util::escape_html could handle single quotation
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
> (oh, maybe someone could consider also adding some test case to
> t/net/perl/util.pl but it does not seem to be very important)
tests are always important :)
>>I'm think that, with mod_perl 2.0, mod_perl 1.x might not be high on
>>maintainer's list of stuff to do
sorry, but I haven't been following too closely lately.
if you can provide a final patch to Util.xs and util.pl and they past
muster with the rest of the committers, I'll see that they get
integrated into CVS 'soonish'
--Geoff
Re: [mp-1 ?] Apache::Util::escape_html could handle single quotation
Posted by Marcin Kasperski <Ma...@acn.waw.pl>.
> > Your patch seems to me to be partially wrong (you missed similar
> > addition a few lines above, while calculating the destination
> > size).
>
> Erm, yeah, so I see, now that you mention it.
And this patch version seem to be correct
(oh, maybe someone could consider also adding some test case to
t/net/perl/util.pl but it does not seem to be very important)
> > Nevertheless, I write here about the problem because I would really
> > like having such a change in the mainstream modperl distribution.
> > Keeping my own patched modperl distribution, integrating changes etc
> > is a bit troublesome (organizationally).
>
> I'm think that, with mod_perl 2.0, mod_perl 1.x might not be high on
> maintainer's list of stuff to do, but Jim Winstead would probably
> accept a (proper!) patch and release libapreq-1.01.
Hmm, should I do something to send it to him or is he reading this
list?
Regards (and thanks)
Marcin
--
( Marcin Kasperski | Communication takes place between people, documents )
( http://www.mk.w.pl | are secondary. (Booch) )
(----------------------------------------------------------------------------)
( Dokument biznesowy w LaTeXu: http://www.mk.w.pl/porady/latex/mkofficial_cls)
Re: [mp-1 ?] Apache::Util::escape_html could handle single quotation
Posted by darren chamberlain <dl...@users.sourceforge.net>.
* Marcin Kasperski <Ma...@acn.waw.pl> [2002-11-08 17:33]:
> darren chamberlain <dl...@users.sourceforge.net> writes:
>
> > * Marcin Kasperski <Ma...@acn.waw.pl> [2002-11-08 16:22]:
> > > I use Apache::Util::escape_html to perform fast HTML-escaping of the
> > > data before displaying it. Unfortunately, this function handles
> > > <, >, & and " but does not handle ' (single quote) - which
> > > can be escaped as '
> >
> > Hey, this is an easy one. Apply the attached patch to
> > mod_perl-1.XX/src/modules/perl/Util.xs, and single quotes will be
> > turned into '
>
> Your patch seems to me to be partially wrong (you missed similar
> addition a few lines above, while calculating the destination
> size).
Erm, yeah, so I see, now that you mention it.
> Nevertheless, I write here about the problem because I would really
> like having such a change in the mainstream modperl distribution.
> Keeping my own patched modperl distribution, integrating changes etc
> is a bit troublesome (organizationally).
I'm think that, with mod_perl 2.0, mod_perl 1.x might not be high on
maintainer's list of stuff to do, but Jim Winstead would probably accept
a (proper!) patch and release libapreq-1.01.
(darren)
--
All extreme positions are wrong.
-- Erann Gat
Re: [mp-1 ?] Apache::Util::escape_html could handle single quotation
Posted by Marcin Kasperski <Ma...@acn.waw.pl>.
darren chamberlain <dl...@users.sourceforge.net> writes:
> * Marcin Kasperski <Ma...@acn.waw.pl> [2002-11-08 16:22]:
> > I use Apache::Util::escape_html to perform fast HTML-escaping of the
> > data before displaying it. Unfortunately, this function handles
> > <, >, & and " but does not handle ' (single quote) - which
> > can be escaped as '
>
> Hey, this is an easy one. Apply the attached patch to
> mod_perl-1.XX/src/modules/perl/Util.xs, and single quotes will be
> turned into '
Your patch seems to me to be partially wrong (you missed similar
addition a few lines above, while calculating the destination
size). Nevertheless, I write here about the problem because I would
really like having such a change in the mainstream modperl
distribution. Keeping my own patched modperl distribution, integrating
changes etc is a bit troublesome (organizationally).
Re: [mp-1 ?] Apache::Util::escape_html could handle single quotation
Posted by darren chamberlain <dl...@users.sourceforge.net>.
* Marcin Kasperski <Ma...@acn.waw.pl> [2002-11-08 16:22]:
> I use Apache::Util::escape_html to perform fast HTML-escaping of the
> data before displaying it. Unfortunately, this function handles
> <, >, & and " but does not handle ' (single quote) - which
> can be escaped as '
Hey, this is an easy one. Apply the attached patch to
mod_perl-1.XX/src/modules/perl/Util.xs, and single quotes will be
turned into '
(darren)
--
If history teaches us anything, it's that everyone will be part of the
problem, but not everyone will be part of the solution.
-- Larry Wall