Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] Python 3: Decode HEX value back to single quote #25141

Closed
wants to merge 1 commit into from

Conversation

@ziransun
Copy link
Contributor

@ziransun ziransun commented Aug 20, 2020

No description provided.

@ziransun
Copy link
Contributor Author

@ziransun ziransun commented Aug 20, 2020

@Hexcles: I'm not sure this CL gives a good solution. Just try to find out why the escaping character in policy value ('self') has been converted Hex value in python 3 case. Anything obvious to you?

@ziransun ziransun force-pushed the ziransun:content-policy branch from 6e01419 to a1e1b29 Aug 24, 2020
@Hexcles
Copy link
Member

@Hexcles Hexcles commented Aug 24, 2020

Where is policy coming from? Something like {{GET[...]}}?

Looks like we are getting the URL-encoded version of the string.

@ziransun
Copy link
Contributor Author

@ziransun ziransun commented Aug 26, 2020

Where is policy coming from? Something like {{GET[...]}}?

It should come from this line

Looks like we are getting the URL-encoded version of the string.

That's what I suspected as well. I couldn't see any direct calls of .py file in these test scripts. Could it be something at wpt core part?

@Hexcles
Copy link
Member

@Hexcles Hexcles commented Aug 28, 2020

@ziransun yeah I'm looking at wptserve.

Meanwhile, could you provide some concrete examples (comparison of strings in Py2 and 3, as well as the test that triggers it)?

@Hexcles
Copy link
Member

@Hexcles Hexcles commented Aug 28, 2020

Hmm, I also see

var window_url = decodeURIComponent("javascript:&#x27;&lt;iframe src=/content-security-policy/support/fail.js /&gt;&#x27;").replace('&lt;', '<').replace('&gt;', '>');

in Python 2. In other words, this doesn't seem to happen in Python 3 only.

Reading the source code, I think this is the expected behaviour:

def wrap_pipeline(path, request, response):
query = parse_qs(request.url_parts.query)
pipe_string = ""
if ".sub." in path:
ml_extensions = {".html", ".htm", ".xht", ".xhtml", ".xml", ".svg"}
escape_type = "html" if os.path.splitext(path)[1] in ml_extensions else "none"
pipe_string = "sub(%s)" % escape_type

sets escape_type to html, which leads to content to be percent-encoded in the output. And this test is hence a bit problematic... I think we'd need something like #25275 (just a PoC for now).

@Hexcles
Copy link
Member

@Hexcles Hexcles commented Sep 16, 2020

#25275 landed, so let's close this PR.

@Hexcles Hexcles closed this Sep 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.