Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

decodeEntities unsafely decodes & when it results in a legacy character reference #964

Closed
mathiasbynens opened this issue Sep 23, 2018 · 1 comment
Closed

decodeEntities unsafely decodes & when it results in a legacy character reference #964

mathiasbynens opened this issue Sep 23, 2018 · 1 comment

Comments

@mathiasbynens
Copy link
Collaborator

mathiasbynens commented Sep 23, 2018
edited

The decodeEntities option decodes & even in cases when doing so changes the meaning (and rendering) of the resulting HTML.

Input HTML:

<pre><code>Label current;
// Load effective address of current instruction into rcx.
__ leaq(rcx, Operand(&amp;current));
__ bind(&amp;current);
</code></pre>

With decodeEntities: true, this gets minified into:

<pre><code>Label current;
// Load effective address of current instruction into rcx.
__ leaq(rcx, Operand(&current));
__ bind(&current);
</code></pre>

Note how &amp;current (which renders as “&current”) is changed into &current (which renders as “¤t”). This should not happen since &curren (yes, even without the trailing ;) is a character reference for ¤, and so turning the &amp; into just & changes the rendering/meaning.

The full list of such entities that do not require a closing ; (like &curren) is here: https://github.com/mathiasbynens/he/blob/master/data/decode-map-legacy.json (generated from the HTML Standard)
@mathiasbynens mathiasbynens changed the title decodeEntities decodeEntities unsafely decodes &amp; when it results in a legacy character reference Sep 23, 2018
mathiasbynens added a commit to mathiasbynens/html-minifier that referenced this issue Sep 23, 2018
@mathiasbynens
Prevent data loss when using decodeEntities
0066e22 
Without this patch, the `decodeEntities` option decodes e.g. `&amp;` even in cases when doing so changes the meaning (and rendering) of the resulting HTML.

Fixes kangax#964.
@mathiasbynens mathiasbynens mentioned this issue Sep 23, 2018
Merged
mathiasbynens added a commit to mathiasbynens/html-minifier that referenced this issue Sep 23, 2018
@mathiasbynens
Prevent data loss when using decodeEntities
cb15b2a 
Without this patch, the `decodeEntities` option decodes e.g. `&amp;` even in cases when doing so changes the meaning (and rendering) of the resulting HTML.

Fixes kangax#964.
@mathiasbynens
Copy link
Collaborator Author

Patch: #965

mathiasbynens added a commit to mathiasbynens/html-minifier that referenced this issue Sep 28, 2018
@mathiasbynens
Prevent data loss when using decodeEntities
9b0c7cc 
Without this patch, the `decodeEntities` option decodes e.g. `&amp;` even in cases when doing so changes the meaning (and rendering) of the resulting HTML.

Fixes kangax#964.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mathiasbynens