Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug on regexp of HTMLParser #51560

Closed
pluskid mannequin opened this issue Nov 12, 2009 · 19 comments
Closed

Bug on regexp of HTMLParser #51560

pluskid mannequin opened this issue Nov 12, 2009 · 19 comments
Assignees
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error

Comments

@pluskid
Copy link
Mannequin

pluskid mannequin commented Nov 12, 2009

BPO 7311
Nosy @freddrake, @abalkin, @orsenthil, @ezio-melotti, @merwok, @bitdancer
Files
  • issue7311.diff: Patch to allow non-ascii letters in attribute values (2.7)
  • issue7311-2.diff: Patch that follow HTML5 specification for attr values (2.7)
  • issue7311-3.diff: Patch that follows HTML5 specification for attr values (3.2)
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/ezio-melotti'
    closed_at = <Date 2011-04-07.19:29:03.792>
    created_at = <Date 2009-11-12.16:25:42.827>
    labels = ['type-bug', 'library']
    title = 'Bug on regexp of HTMLParser'
    updated_at = <Date 2011-04-07.19:29:03.791>
    user = 'https://bugs.python.org/pluskid'

    bugs.python.org fields:

    activity = <Date 2011-04-07.19:29:03.791>
    actor = 'ezio.melotti'
    assignee = 'ezio.melotti'
    closed = True
    closed_date = <Date 2011-04-07.19:29:03.792>
    closer = 'ezio.melotti'
    components = ['Library (Lib)']
    creation = <Date 2009-11-12.16:25:42.827>
    creator = 'pluskid'
    dependencies = []
    files = ['21406', '21517', '21545']
    hgrepos = []
    issue_num = 7311
    keywords = ['patch']
    message_count = 19.0
    messages = ['95162', '95527', '95529', '132223', '132321', '132864', '133055', '133075', '133083', '133096', '133136', '133145', '133146', '133149', '133174', '133185', '133188', '133189', '133247']
    nosy_count = 9.0
    nosy_names = ['fdrake', 'belopolsky', 'orsenthil', 'ezio.melotti', 'eric.araujo', 'v+python', 'r.david.murray', 'pluskid', 'python-dev']
    pr_nums = []
    priority = 'normal'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'behavior'
    url = 'https://bugs.python.org/issue7311'
    versions = ['Python 2.7', 'Python 3.2', 'Python 3.3']

    @pluskid
    Copy link
    Mannequin Author

    pluskid mannequin commented Nov 12, 2009

    Hi all,

    I'm using BeautifulSoup to parsing an HTML page and find it refused to
    parse the page. By looking at the backtrace, I found it is a problem
    with the python built-in HTMLParser.py. In fact, the web page I'm
    parsing is with some Chinese characters. there is a tag like <img
    src=/foo/bar.png alt=中文> , note this is legacy html page where the
    attributes are not quoted. However, the regexp defined in
    HTMLParser.py is :

     attrfind = re.compile(
        r'\s*([a-zA-Z_][-.:a-zA-Z_0-9]*)(\s*=\s*'
        r'(\'[^\']*\'|"[^"]*"|[-a-zA-Z0-9./,:;+*%?!&$\(\)_#=~@]*))?')

    Note that the Chinese character (also any other non-english
    characters), so it fire an error parsing this. I'm not sure whether
    the HTML standard allow un-quoted non-ASCII characters in the
    attributes. If it allows, this seems to be a bug. and the regexp to
    better be [^\>\\s] IMHO.

    BTW: It seems something like :

    <script>
    var st = "<a></";
    </script>

    can not be parsed. :-/

    @pluskid pluskid mannequin added stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error labels Nov 12, 2009
    @vpython
    Copy link
    Mannequin

    vpython mannequin commented Nov 20, 2009

    Re: the BTW -- < and > should be entity-escaped when used in attribute
    values inside tag attributes... (but are probably seldom found as part
    of tag attribute values)

    But the example you showed is not an attribute in a tag, but rather text
    within a paired tag.

    But your suggestion for the regexp seems correct to me, if the non-ASCII
    characters are permitted for non-quoted attribute values.

    @pluskid
    Copy link
    Mannequin Author

    pluskid mannequin commented Nov 20, 2009

    re: Yes. In fact, the BTW is a different problem with respect to this
    bug. And that seems to be more complicated to fix.

    @ezio-melotti
    Copy link
    Member

    ezio-melotti commented Mar 26, 2011

    The attached patch changes the regex to allow non-ascii letters in attribute values (using \w with the re.UNICODE flag instead of [a-zA-Z0-9_]).

    Using [^\>\\s] (or even [^\> ]) might be OK too, since that's what browsers seem to use (e.g. Firefox and Chrome show "テ<ス＀ト   -d-fg" as title of '<a href="" title=テ<ス＀ト   -d-fg href="">foo</a>', including the non-ascii spaces in the middle).

    @ezio-melotti
    Copy link
    Member

    ezio-melotti commented Mar 27, 2011

    The HTML 4.01 specifications says0:
    """
    In certain cases, authors may specify the value of an attribute without any quotation marks. The attribute value may only contain letters (a-z and A-Z), digits (0-9), hyphens (ASCII decimal 45), periods (ASCII decimal 46), underscores (ASCII decimal 95), and colons (ASCII decimal 58). We recommend using quotation marks even when it is possible to eliminate them.
    """

    The HTML 5 draft says1:
    """
    The attribute name, followed by zero or more space characters, followed by a single U+003D EQUALS SIGN character, followed by zero or more space characters, followed by the attribute value, which, in addition to the requirements given above for attribute values, must not contain any literal space characters, any U+0022 QUOTATION MARK characters ("), U+0027 APOSTROPHE characters ('), U+003D EQUALS SIGN characters (=), U+003C LESS-THAN SIGN characters (<), U+003E GREATER-THAN SIGN characters (>), or U+0060 GRAVE ACCENT characters (`), and must not be the empty string.
    """

    So maybe [^\>\\s] is a little too permissive here.

    @ezio-melotti ezio-melotti self-assigned this Apr 3, 2011
    @ezio-melotti
    Copy link
    Member

    ezio-melotti commented Apr 3, 2011

    Here's a patch that matches unquoted attribute values according to the HTML5 specifications.

    The regex uses \s even if this includes the \v char that, according to the HTML5 specs, shouldn't be included. I left it there for simplicity and backward-compatibility, and also because it's a rather obscure corner case.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Apr 5, 2011

    New changeset 7d4dea76c476 by Ezio Melotti in branch '2.7':
    bpo-7311: fix HTMLParser to accept non-ASCII attribute values.
    http://hg.python.org/cpython/rev/7d4dea76c476

    @ezio-melotti
    Copy link
    Member

    ezio-melotti commented Apr 5, 2011

    With 3.2 the situation is more complicated because there is a strict and a non-strict mode.
    The strict mode uses:
    attrfind = re.compile(
    r'\s*([a-zA-Z_][-.:a-zA-Z_0-9])(\s=\s*'
    r'(\'[^\\']\'|"[^"]"|[-a-zA-Z0-9./,:;+%?!&$\(\)_#=~@]))?')

    and the tolerant mode uses:
    attrfind_tolerant = re.compile(
    r'\s*([a-zA-Z_][-.:a-zA-Z_0-9])(\s=\s*'
    r'(\'[^\\']\'|"[^"]"|[^\>\\s]*))?')

    This means that the strict mode doesn't allow valid non-ASCII chars, and that tolerant mode is a little too permissive.

    The attached patch changes the strict regex to be more permissive and leaves the tolerant regex unchanged. The difference between the two are now so small that the tolerant version could be removed, except that re.search is used instead of re.match when the tolerant regex is used.

    @bitdancer
    Copy link
    Member

    bitdancer commented Apr 5, 2011

    The goal of tolerant mode is to accept anything a typical browser would accept. I suspect that means the tolerant regex should stay, but I don't remember the details.

    As for the strict....as far as I know the current module follows 4.01, not 5. I'm not sure what should be done about that.

    @ezio-melotti
    Copy link
    Member

    ezio-melotti commented Apr 5, 2011

    I don't see many use cases for the strict mode. It is not strict enough to be used for validation, and while parsing HTML I can't think of any other case where I would want an exception raised (always as long as what is parsed by the tolerant mode is a superset of what is parsed by the strict mode).

    If the parser is still able to parse what it was parsing before, I wouldn't worry too much about backward compatibility, because I can't imagine a valid use case where people would want the parser to fail (maybe someone else can?).

    @merwok
    Copy link
    Member

    merwok commented Apr 6, 2011

    I think the stdlib should comply with HTML 4.01, and in the future HTML 5.

    (FTR, I don’t think XHTML is useful, and deny that XHTML-compatible HTML exists. See http://bugs.python.org/issue11567#msg131509 :)

    @ezio-melotti
    Copy link
    Member

    ezio-melotti commented Apr 6, 2011

    I would agree if the HTMLParser was compliant with the HTML 4.01 specs, but since it's more permissive and uses its own heuristic to determine what should be parsed and what shouldn't, I think it's better to use already existing heuristics (either the HTML5 ones or the ones used by the browsers).
    I.e., I'm not trying to make it HTML5 compliant, just to make it work with what works on the browsers.

    @merwok
    Copy link
    Member

    merwok commented Apr 6, 2011

    Okay, sounds good.

    @orsenthil
    Copy link
    Member

    orsenthil commented Apr 6, 2011

    We need not base changes to html/parser.py on html5 spec, but rather make changes based on the requirements on parsers which may rely on this library. Like the tolerant mode was brought in bpo-1486713 for some practical reasons and it was seen useful tor parsers.

    I don't know, how common is leaving out quotes for attributes is, but I think it can become really confusing to parsers (custom parsers). If we had not supported non-quote attributes I think, it is still okay still to not-to-support unless presented with case as very concrete bug. (like spec html 4.1 allows, which I see it does not).

    The patch which added support for non-ascii characters is fine.

    @ezio-melotti
    Copy link
    Member

    ezio-melotti commented Apr 6, 2011

    So is the bpo-7311-3.diff patch fine? It changes the strict regex to match the 2.7 one, and leave the tolerant one unchanged (even if now the two regexs are really close).

    @bitdancer
    Copy link
    Member

    bitdancer commented Apr 7, 2011

    Sounds fine to me.

    @orsenthil
    Copy link
    Member

    orsenthil commented Apr 7, 2011

    So is the bpo-7311-3.diff patch fine?

    Just that it allows unquoted attrs for unicode too.

    My previous suggestion was not to allow unquoted attribute values, but as the change is already made in 2.7 and discussion pointed out a portion in 4.1 spec which allows unquoted attrs for ASCII, it seems fine. html/parse.py will be bit more permissive than what the spec says.

    It changes the strict regex to match the 2.7 one, and leave the tolerant one unchanged.

    That is fine.

    @ezio-melotti
    Copy link
    Member

    ezio-melotti commented Apr 7, 2011

    On 3.2 the patch changes only the range of chars matched by the regex when the attribute value doesn't have quotes and strict=True.

    The parser already allowed unquotes attribute values even before the patch (in both strict and tolerant mode), but used an explicit list of allowed chars that was limited to the ASCII range.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Apr 7, 2011

    New changeset 225400cb6e84 by Ezio Melotti in branch '3.2':
    bpo-7311: fix html.parser to accept non-ASCII attribute values.
    http://hg.python.org/cpython/rev/225400cb6e84

    New changeset a1dea7cde58f by Ezio Melotti in branch 'default':
    bpo-7311: merge with 3.2.
    http://hg.python.org/cpython/rev/a1dea7cde58f

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Development

    No branches or pull requests

    4 participants