Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Blockcode (bc.) does not autoescape HTML properly #3

Open
GwenDragon opened this Issue · 0 comments

1 participant

@GwenDragon

While using bc.. some <,> and " are not escaped properly.

See the testcode:

#!/usr/bin/perl

use strict;
use warnings;

use Text::Textile;

my $textile = Text::Textile->new;

my $code = <<'CODE';
bc.. <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="de" xml:lang="de">
<script src="/test/test.js" type="text/javascript"></script>
<head>
<title>Test</title>

bc. <?xml version="1.0" encoding="UTF-8"?>

bc. <script src="/test/test.js" type="text/javascript"></script>

CODE
print $textile->process($code);

__END__

Code generates this HTML

<pre><code><?xml version="1.0" encoding="UTF-8"?>
&lt;!DOCTYPE html PUBLIC &quot;-//W3C//DTD XHTML 1.0 Transitional//EN&quot; &quot;http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd&quot;&gt;
&lt;html xmlns=&quot;http://www.w3.org/1999/xhtml&quot; dir=&quot;ltr&quot; lang=&quot;de&quot; xml:lang=&quot;de&quot;&gt;
<script src="/test/test.js" type="text/javascript"></script>
&lt;head&gt;
&lt;title&gt;Test&lt;/title&gt;</code></pre>

<pre><code><?xml version="1.0" encoding="UTF-8"?></code></pre>

<pre><code><script src="/test/test.js" type="text/javascript"></script></code></pre>

Documentation in http://search.cpan.org/~bchoate/Text-Textile-2.12/lib/Text/Textile.pm#SYNTAX says:

bc
A "bc" signature is short for "block code", which implies a preformatted section like the "pre" block,
but it also gets a <code> tag (or for XHTML 2, a <blockcode> tag is used instead).
Note that within a "bc" block, < and > are translated into HTML entities automatically.

As you can see, the <, > and " char in <script>, </script>, <? and ?> are not HTML-escaped!

Seems to be a bug.

@GwenDragon GwenDragon referenced this issue from a commit in GwenDragon/text-textile
Lilo von Hanffstengel (GwenDragon) Fix bc, missing escaping of <>" issue #3 1eea975
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.