You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by André Malo <nd...@perlig.de> on 2002/09/12 03:18:15 UTC
mod_autoindex & DTD issues
Moin,
Just found some odd things:
The docs of the Addalt* directives of mod_autoindex say everywhere
"String is enclosed in double quotes". I don't know, how it is meant
exactly, but the examples imply that the alt string in the configuration
must be surrounded by quotes. If you don't have a whitespace inside your
string you actually don't need the quotes.
However, the string /will/ be enclosed in quotes (alt="string"). Perhaps
it's only my poor English that creates a problem ;-) I'd suggest to
write there:
String should be enclosed in double quotes (").
We should also mention, that a quote appearing inside the alt-string
should (must? has to?) be escaped as HTML
AddAlt foo"bar *.baz
# instead of
AddAlt foo"bar *.baz
# bad example, I know...
or should the module escape a quote there?
The other issue:
Please take a look at:
http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#headername
inside the div.note beneath the example you'll find the following:
(taken from the original XML)
<p><a href="../content-negotiation.html">Content negotiation</a>
will be performed if the <code>MultiViews</code> <directive
module="core">Option</directive> is enabled.
[..]
Of course, there's no directive "Option" and the link points to nowhere.
To keep the semantics I'd like to add another attribute to the directive
element, which contains the actual directive name, if neccessary, e.g.
<!ATTLIST directive module CDATA #IMPLIED
type CDATA #IMPLIED
name CDATA #IMPLIED>
So the author in the case described above may write:
<directive module="core" name="Options">Option</directive>.
What do you think? Any objections?
nd
--
$_=q?tvc!uif)%*|#Bopuifs!A`#~tvc!Xibu)%*|qsjou#Kvtu!A`#~tvc!KBQI!)*|~
tvc!ifmm)%*|#Qfsm!A`#~tvc!jt)%*|(Ibdlfs(~ # What the hell is JAPH? ;
@_=split/\s\s+#/;$_=(join''=>map{chr(ord( # André Malo ;
$_)-1)}split//=>$_[0]).$_[1];s s.*s$_see; # http://www.perlig.de/ ;
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: mod_autoindex & DTD issues
Posted by André Malo <nd...@perlig.de>.
* Joshua Slive wrote:
> On Thu, 12 Sep 2002, André Malo wrote:
>> String should be enclosed in double quotes (").
>
> If the parsing for these directives is the standard config parsing
> (and I haven't checked the code to be sure), then you are correct.
They use the standard AP_INIT_ITERATE2 macro, so the quotes around
(single or double) are removed by the config code.
>> We should also mention, that a quote appearing inside the alt-string
>> should (must? has to?) be escaped as HTML
>
> Don't know. Again, I'd have to check the code. I also seem to
> remember seeing various kinds of bugs reported regarding the escaping
> or lack-thereof with mod_autoindex.
hmm. IMHO it's a good thing to give the user the possibility of using
entities. If the code escapes non-ascii and special chars [<>&] in
general, the user has no chance to include entities there...
AFAIS the alt texts are not escaped anywhere at the moment.
Since the double quote is a "control character" inside the alt texts,
I'd say the code should escape double quotes (and only them) to ".
[
DON'T try this at home:
AddAlt '" onmouseover="while(true) alert(\'Hi!\');//' *
]
>> http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#headername
[...]
> Yes, I've seen this problem elsewhere. But the only directive that
> causes the problem is Options. My opinion is that it is not worth
> adding complexity to both the DTD and the xslt for this one case.
> This is particularly true because the docs shouldn't be mangling the
> name of this directive in the first place. That is a sure way to
> confuse people.
[...]
ah, yes, that's probably true. I'm not so sure that it affects only
"Options". When I meet another of such sentences some day, I'll rewrite
it ;-)
nd
--
Treat your password like your toothbrush. Don't let anybody else
use it, and get a new one every six months. -- Clifford Stoll
(found in ssl_engine_pphrase.c)
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: mod_autoindex & DTD issues
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, 12 Sep 2002, André Malo wrote:
> String should be enclosed in double quotes (").
If the parsing for these directives is the standard config parsing (and I
haven't checked the code to be sure), then you are correct.
>
> We should also mention, that a quote appearing inside the alt-string
> should (must? has to?) be escaped as HTML
Don't know. Again, I'd have to check the code. I also seem to remember
seeing various kinds of bugs reported regarding the escaping or
lack-thereof with mod_autoindex.
>
> The other issue:
> Please take a look at:
> http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#headername
>
> inside the div.note beneath the example you'll find the following:
> (taken from the original XML)
>
> <p><a href="../content-negotiation.html">Content negotiation</a>
> will be performed if the <code>MultiViews</code> <directive
> module="core">Option</directive> is enabled.
> [..]
>
> Of course, there's no directive "Option" and the link points to nowhere.
> To keep the semantics I'd like to add another attribute to the directive
> element, which contains the actual directive name, if neccessary, e.g.
>
> What do you think? Any objections?
Yes, I've seen this problem elsewhere. But the only directive that causes
the problem is Options. My opinion is that it is not worth adding
complexity to both the DTD and the xslt for this one case. This is
particularly true because the docs shouldn't be mangling the name of this
directive in the first place. That is a sure way to confuse people. We
should just rewrite the sentence to use the proper directive name, as in
"Content-negotiation will be performed if the Options directive includes
Multiviews" (or something to that effect).
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org