Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Always escape < in text regardless of decodeEntities #75

Closed
wants to merge 1 commit into from
Closed

Always escape < in text regardless of decodeEntities #75

wants to merge 1 commit into from

Conversation

thorn0
Copy link

@thorn0 thorn0 commented Sep 3, 2018
edited
Loading

Motivation: to avoid issues like fb55/htmlparser2#105

Closes #26

thorn0 added a commit to thorn0/htmlparser2-20kb that referenced this pull request Sep 5, 2018
@thorn0
replace dom-serializer with a patched version
0375e70 
1) cheeriojs/dom-serializer#75
2) similar change for attributes
thorn0 added a commit to thorn0/htmlparser2-20kb that referenced this pull request Sep 5, 2018
@thorn0
replace dom-serializer with a patched version
2624a73 
1) cheeriojs/dom-serializer#75
2) similar change for attributes
@thorn0 thorn0 changed the title Always escape < in text regardless of decodeEntities Always escape < in text and " in attributes regardless of decodeEntities Sep 6, 2018
AmeliaBR added a commit to AmeliaBR/dom-serializer that referenced this pull request Oct 14, 2018
@AmeliaBR
Merge 'Always escape < in text and " in attributes
19b0359 
regardless of decodeEntities'

from cheeriojs#75
by @thorn0

I'd already added in the attribute escaping,
but this is more comprehensive & has tests.
@thorn0 thorn0 changed the title Always escape < in text and " in attributes regardless of decodeEntities Always escape < in text regardless of decodeEntities Aug 12, 2019
@thorn0
Copy link
Author

thorn0 commented Aug 12, 2019

The attributes part of this was fixed in #76. But the issue with unescaped < in text remains open. Rebased this onto master. @fb55 please have a look

@nylen
Copy link

nylen commented Jan 17, 2021

@fb55 ping, this is a pretty nasty issue

@fb55
Copy link
Member

fb55 commented Apr 8, 2021

This is fixing one potential security hole with decodeEntities: false, but many others remain. decodeEntities should only ever be used for trusted markup, and this PR breaks some workflows that depend on unescaped characters being printed.

@fb55 fb55 closed this Apr 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

special HTML / XML characters are not encoded if decodeEntities is false
3 participants
@thorn0 @nylen @fb55