New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Minor discrepancy with fromHtmlEscapedString #1
Comments
Ok, out of the 200 reverse dependencies of
(This was done by scraping the package names out of the above link with grep and sed, So if any maintainers of these packages would like to weigh in on this issue, I'm all ears. @dcoutts @jaspervdj @chrisdone |
Of course, this change also has the potential to affect the output of each one of these packages, and thus any downstream dependencies of these packages as well. |
I'm okay with this staying as-is. Given that it's an HTML5 parse error, even browsers would be legitimate in stripping it out, so relying on that for real applications is living on borrowed time anyway. |
I'm also fine with stripping out the control characters. |
* 0.4.1.0 - Gain compatibility with the Semigroup/Monoid proposal - Add Word8 HTML escaping builders - Speed up `fromHtmlEscapedText` and `fromHtmlEscapedLazyText` * 0.4.0.2 - Fixed warnings on GHC 7.10, courtesy of Mikhail Glushenkov. * 0.4.0.1 - Tightened the version constraints on the bytestring package for GHC 7.8 * 0.4.0.0 - This is now a compatibility shim for the new bytestring builder. Most of the old internal modules are gone. See this blog post for more information: <http://blog.melding-monads.com/2015/02/12/announcing-blaze-builder-0-4/> - The 'Blaze.ByteString.Builder.Html.Utf8.fromHtmlEscaped*' functions now strip out any ASCII control characters present in their inputs. See <lpsmith/blaze-builder#1> for more information.
* 0.4.1.0 - Gain compatibility with the Semigroup/Monoid proposal - Add Word8 HTML escaping builders - Speed up `fromHtmlEscapedText` and `fromHtmlEscapedLazyText` * 0.4.0.2 - Fixed warnings on GHC 7.10, courtesy of Mikhail Glushenkov. * 0.4.0.1 - Tightened the version constraints on the bytestring package for GHC 7.8 * 0.4.0.0 - This is now a compatibility shim for the new bytestring builder. Most of the old internal modules are gone. See this blog post for more information: <http://blog.melding-monads.com/2015/02/12/announcing-blaze-builder-0-4/> - The 'Blaze.ByteString.Builder.Html.Utf8.fromHtmlEscaped*' functions now strip out any ASCII control characters present in their inputs. See <lpsmith/blaze-builder#1> for more information.
See jaspervdj/blaze-markup#15
fromHtmlEscapedString
in0.4
strips out '\DEL' as well as ASCII control characters, whereas the same function from0.3
leaves them in.e.g. with blaze-builder-0.3.3.2
with blaze-builder-0.4.0.0
Possible fixes would be to 1) release a revision of the
0.3
series that also strips out control characters, 2) adjust0.4
so that it doesn't, or 3) leave it as-is.It certainly is my intention that
0.4
be semantically identical to0.3
, but I am curious what the correct behavior should be here with regards to html escaping, and how much trouble this discrepancy will actually cause. Control characters aren't kosher in HTML, but I don't know if they can actually lead to security vulnerabilities. Similarly, this discrepancy does cause problems withblaze-markup
's test suite, but I don't know if it'll cause any trouble in "real" applications.The text was updated successfully, but these errors were encountered: