Script tag contents are HTML escaped

[kpdecker]

As of the latest master the contents of script tags are HTML escaped.

  + expected - actual

  +"<!doctype html>\n<html>\n  <body>foo\n<script>var $serverCache = {\"http://localhost:51205/\": {\"data\":\"get!\"}};</script></body>\n</html>\n"
  -"<!doctype html>\n<html>\n  <body>foo\n<script>var $serverCache = {&quot;http://localhost:51205/&quot;: {&quot;data&quot;:&quot;get!&quot;}};</script></body>\n</html>\n"

[fb55]

All entities are now decoded while parsing. That's generally an improvement (especially as this fixed several issues with entities in attribute values), but requires encoding characters once the document is rendered.

There are several characters that don't really have to be escaped, " in text nodes being one of them. <, & and non-ASCII characters should actually be the only ones that require escaping.

The fix in #461 is too narrow. In the end, we should maintain a list of elements that contain plain text, raw text or script data (ie. script, style, xmp, iframe, noembed, noframes, noscript, plaintext) or alternatively add this information to the DOM.

[kpdecker]

For #461 this was a bit of a rushed fix as the merge with canonical master
was about to break production. (We're running bleeding edge right now :) )

I think in the long run reducing the number of escaped characters will have
a positive impact as this results in a smaller file size and depending on
the implementation should result in faster rendering times due to reduced
escaping overhead.

That being said, I don't think the list there is accurate, from my reading
of the spec. It seems like script, style, and foreign elements such as
embedded SVG have different escaping standards, but otherwise it's more or
less the same as all other elements (with content) would fall into the
normal elements category.
http://www.whatwg.org/specs/web-apps/current-work/multipage/syntax.html#elements-0

On Tue, Apr 22, 2014 at 9:04 AM, Felix Böhm notifications@github.comwrote:

All entities are now decoded while parsing. That's generally an
improvement (especially as this fixed several issues with entities in
attribute values), but requires encoding characters once the document is
rendered.

There are several characters that don't really have to be escaped, " in
text nodes being one of them. <, & and non-ASCII characters should
actually be the only ones that require escaping.

The fix in #461 #461 is too
narrow. In the end, we should maintain a list of elements that contain
plain text, raw text or script data (ie. script, style, xmp, iframe,
noembed, noframes, noscript, plaintext) or alternatively add this
information to the DOM.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/460#issuecomment-41043093
.

[fb55]

@kpdecker Have a look at the serialization part of the spec:

If current node is a Text node
If the parent of current node is a style, script, xmp, iframe, noembed, noframes, or plaintext element, or if the parent of current node is a noscript element and scripting is enabled for the node, then append the value of current node's data IDL attribute literally.

Otherwise, append the value of current node's data IDL attribute, escaped as described below.

cheerio should just assume that the "scripting flag" is set, even though scripts aren't executed.

[fb55]

@kpdecker Do you want to give it a try? The dom-serializer module could need some love :)

(IMHO, the easiest solution would be to inline renderText…)

[kpdecker]

Sure I could take a look. Like I said the original patch was a knee jerk fix to get around our immediate production issues :( Will try to make some time to look at the whole thing.

[giltayar]

Just stumbled on the bug when upgrading cheerio.

I also had to pin it to 0.15, as this is a breaking change for us too - we use cheerio to read and transform html, and if the transformed HTML includes a script tag, that script tag will not parse in browsers. (well, I tried Chrome, but I'm assuming all the others...)

[kennu]

We also had to pin to Cheerio 0.15, because the output from .html() now has invalid escaped inline stylesheets etc.

[alexindigo]

Similar problem with tag attributes, it mangles following <div data-fetch_summary="{&quot;collection&quot;:5}"> into <div data-fetch_summary="{&#x26;quot;collection&#x26;quot;:5}"> which is pain in the neck.

And I can't see the use case for escaping attribute values, since they weren't decoded on the first place.

[robogeek]

I've had to pin to Cheerio 0.15 as well, for the reasons noted above (script tags having their content mangled).

[fb55]

Will be fixed by #458.

[alexindigo]

I've found the solution for this problem and other ones, just need to fix the tests.
Going to submit soon.

[alexindigo]

Submitted PR #499

[bitinn]

What we are doing might be an edge case, but we use cheerio to parse and build Swig template for rendering on server. And v0.16 starts to escape this line:

<title>{{__("i18n text")}}</title>

into

<title>{{__(&quot;i18n text&quot;)}}</title>

which cause Swig to choke. I am wondering if this is a supported use-case in future? Or can we turn off such escaping with a setting (apologize if i overlook something trivial)

[fb55]

The next release will allow you to pass decodeEntities: false, resulting
in the desired behavior.

Felix