Opened 12 years ago

Closed 12 years ago

#890 closed defect (fixed)

hyde doesn't do any HTML-escaping for unknown languages

Reported by: sjamaan Owned by: Moritz Heidkamp
Priority: major Milestone:
Component: extensions Version:
Keywords: escaping, html, hyde Cc:
Estimated difficulty:


The following will put the HTML code as-is into the output instead of escaping the angular brackets.

<enscript highlight="html">
  <span>Hello, <strong>dear</strong> friends.</span>
  <span>This is a simple example.</span>

The problem here is that hyde calls colorize with an exception handler which just returns the original code. This code is then injected, whereas colorize will return HTML, taking care of escaping.

Actually, hyde should choose whether it wants to do string manipulation or use SXML throughout. Using inject is a nasty hack and should be avoided. Take a look at qwiki; it calls html->sxml on the output of colorize and any other user-supplied HTML. If hyde would do this, it also ensures that any mistakes in any of the converters (or the user's own code) don't mess up the SXML structure.

Attachments (1)

colorize-bugfix.patch (634 bytes) - added by sjamaan 12 years ago.
Fix for the immediate bug

Download all attachments as: .zip

Change History (2)

Changed 12 years ago by sjamaan

Attachment: colorize-bugfix.patch added

Fix for the immediate bug

comment:1 Changed 12 years ago by Moritz Heidkamp

Resolution: fixed
Status: newclosed

Thanks for the patch, I applied it to trunk and will include it in the next release. I'm not quite sold on SXML all the way down. I'll give it some more though :-) Thanks!

Note: See TracTickets for help on using tickets.