www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: mod_include/5909: Default for "encoding" attribute in the <!--#echo directive is non consistent with behaviour of previous versions.
Date Wed, 22 Mar 2000 06:20:01 GMT
The following reply was made to PR mod_include/5909; it has been noted by GNATS.

From: Marc Slemko <marcs@znep.com>
To: gea22@cam.ac.uk
Cc: Apache bugs database <apbugs@apache.org>
Subject: Re: mod_include/5909: Default for "encoding" attribute in the
 <!--#echo directive is non consistent with behaviour of previous versions.
Date: Tue, 21 Mar 2000 23:11:55 -0700 (MST)

 On 21 Mar 2000, Giles Agnew wrote:
 
 > Previous versions of Apache defaulted to encoding="none" (ie the attribute wasn't available).
Version 1.3.12 introduces the encoding attribute (very useful) but it defaults to encoding="entity".
Thus any pages previously written (which assumed the default encoding="none") will break if
the change of encoding affects them. 
 > 
 > For example, if you've used HTML tags in your variables which you subsequently want
to echo, these get encoded to printable characters, so your HTML source appears as such in
the browser display.
 
 It is correct that the default has changed.  This is necessary for 
 security reasons related to the "cross site scripting" security problem.
 It is unlikely the default default will be changed.
 
 A config directive to change the default could perhaps be added,
 but in the vast majority of cases where people use mod_include, it
 is used to output something more than a static string.  In the
 majority of cases, this is based off some request variable that
 needs to be encoded.
 

Mime
View raw message