Return-Path: 
 <dev-return-69467-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 42905 invoked from network); 18 Sep 2010 17:10:59 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 18 Sep 2010 17:10:59 -0000
Received: (qmail 69041 invoked by uid 500); 18 Sep 2010 17:10:58 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 68905 invoked by uid 500); 18 Sep 2010 17:10:58 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 68896 invoked by uid 99); 18 Sep 2010 17:10:57 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 18 Sep 2010 17:10:57 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of minfrin@sharp.fm designates
 72.32.122.20 as permitted sender)
Received: from [72.32.122.20] (HELO chandler.sharp.fm) (72.32.122.20)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 18 Sep 2010 17:10:48 +0000
Received: from chandler.sharp.fm (localhost [127.0.0.1])
	by chandler.sharp.fm (Postfix) with ESMTP id 16F147B9D8
	for <dev@httpd.apache.org>; Sat, 18 Sep 2010 12:10:28 -0500 (CDT)
Received: from [10.0.0.251] (87-194-125-18.bethere.co.uk [87.194.125.18])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(Client did not present a certificate)
	(Authenticated sender: minfrin@sharp.fm)
	by chandler.sharp.fm (Postfix) with ESMTP id BAACC7B9D3
	for <dev@httpd.apache.org>; Sat, 18 Sep 2010 12:10:27 -0500 (CDT)
Message-Id: <66A5B85A-E3E2-4C30-8978-921E448D5F77@sharp.fm>
From: Graham Leggett <minfrin@sharp.fm>
To: dev@httpd.apache.org
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Subject: mod_include: echo, entity encoding and UTF-8
Date: Sat, 18 Sep 2010 19:10:26 +0200
X-Mailer: Apple Mail (2.936)
X-Virus-Scanned: ClamAV using ClamSMTP
X-Virus-Checked: Checked by ClamAV on apache.org

Hi all,

When the SSI tag below is handled, the value of the string output to  
the browser is entity encoded:

<!--#echo encoding="entity" var="MY_VAR"-->

This is done with a line that looks something like this:

/* PR#25202: escape anything non-ascii here */
echo_text = ap_escape_html2(ctx->dpool, val, 1);

The problem with the above is the parameter "1", which means that non- 
ASCII characters are entity encoded as html escape sequences, and in  
the process anything encoded with UTF-8 (and is not ASCII) breaks.

What I propose we do is change the value for v2.3+ as follows:

echo_text = ap_escape_html2(ctx->dpool, val, 0);

This allows UTF-8 character sequences to be passed through unchanged.

Past discussion in PR#25202 seems to revolve around backwards  
compatibility, though with v2.4+ we have the power to change this  
behaviour.

Does any cross site scripting risk result as the allowance of UTF-8  
character sequences? I understand not, but would like to confirm.

Regards,
Graham
--