httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Malo>
Subject Re: mod_autoindex & DTD issues
Date Thu, 12 Sep 2002 12:36:12 GMT
* Joshua Slive wrote:

> On Thu, 12 Sep 2002, André Malo wrote:
>> String should be enclosed in double quotes (").
> If the parsing for these directives is the standard config parsing
> (and I haven't checked the code to be sure), then you are correct.

They use the standard AP_INIT_ITERATE2 macro, so the quotes around
(single or double) are removed by the config code. 

>> We should also mention, that a quote appearing inside the alt-string
>> should (must? has to?) be escaped as HTML
> Don't know.  Again, I'd have to check the code.  I also seem to
> remember seeing various kinds of bugs reported regarding the escaping
> or lack-thereof with mod_autoindex.

hmm. IMHO it's a good thing to give the user the possibility of using
entities. If the code escapes non-ascii and special chars [<>&] in
general, the user has no chance to include entities there... 

AFAIS the alt texts are not escaped anywhere at the moment.
Since the double quote is a "control character" inside the alt texts,
I'd say the code should escape double quotes (and only them) to &quot;. 

DON'T try this at home:

AddAlt '" onmouseover="while(true) alert(\'Hi!\');//' *


> Yes, I've seen this problem elsewhere.  But the only directive that
> causes the problem is Options.  My opinion is that it is not worth
> adding complexity to both the DTD and the xslt for this one case. 
> This is particularly true because the docs shouldn't be mangling the
> name of this directive in the first place.  That is a sure way to
> confuse people.  

ah, yes, that's probably true. I'm not so sure that it affects only
"Options". When I meet another of such sentences some day, I'll rewrite
it ;-) 

Treat your password like your toothbrush. Don't let anybody else
use it, and get a new one every six months.  -- Clifford Stoll

                                    (found in ssl_engine_pphrase.c)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message