lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Muir (JIRA)" <>
Subject [jira] [Commented] (LUCENE-5191) SimpleHTMLEncoder in Highlighter module breaks Unicode outside BMP
Date Thu, 29 Aug 2013 15:25:52 GMT


Robert Muir commented on LUCENE-5191:

As we are not working in unquoted attributes

You cannot make this determination. If you want to copy this method and put a less secure
version in SimpleHTMLEncoder, thats cool with me.

But don't make PostingsHighlighter less secure: -1 to that.
> SimpleHTMLEncoder in Highlighter module breaks Unicode outside BMP
> ------------------------------------------------------------------
>                 Key: LUCENE-5191
>                 URL:
>             Project: Lucene - Core
>          Issue Type: Bug
>          Components: modules/highlighter
>            Reporter: Uwe Schindler
>            Assignee: Uwe Schindler
>             Fix For: 5.0, 4.5
>         Attachments: LUCENE-5191.patch
> The highlighter provides a function to escape HTML, which does to much. To create valid
HTML only ", <, >, & must be escaped, everything else can kept unescaped. The escaper
unfortunately does also additionally escape everything > 127, which is unneeded if your
web site has the correct encoding. It also produces huge amounts of HTML entities if used
with eastern languages.
> This would not be a bugf if the escaping would be correct, but it isn't, it escapes like
> {{result.append("\&#").append((int)ch).append(";");}}
> So it escapes not (as HTML needs) the unicode codepoint, instead it escapes the UTF-16
char, which is incorrect, e.g. for our all-time favourite Deseret:
> U+10400 (deseret capital letter long i) would be escaped as {{&\#55297;&\#56320;}}
and not as {{&\#66560;}}.
> So we should remove the stupid encoding of chars > 127 which is simply useless :-)
> See also:

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message