httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject mod_include: echo, entity encoding and UTF-8
Date Sat, 18 Sep 2010 17:10:26 GMT
Hi all,

When the SSI tag below is handled, the value of the string output to  
the browser is entity encoded:

<!--#echo encoding="entity" var="MY_VAR"-->

This is done with a line that looks something like this:

/* PR#25202: escape anything non-ascii here */
echo_text = ap_escape_html2(ctx->dpool, val, 1);

The problem with the above is the parameter "1", which means that non- 
ASCII characters are entity encoded as html escape sequences, and in  
the process anything encoded with UTF-8 (and is not ASCII) breaks.

What I propose we do is change the value for v2.3+ as follows:

echo_text = ap_escape_html2(ctx->dpool, val, 0);

This allows UTF-8 character sequences to be passed through unchanged.

Past discussion in PR#25202 seems to revolve around backwards  
compatibility, though with v2.4+ we have the power to change this  
behaviour.

Does any cross site scripting risk result as the allowance of UTF-8  
character sequences? I understand not, but would like to confirm.

Regards,
Graham
--


Mime
View raw message