Bugs item #3228699, was opened at 2011-03-20 11:27
Message generated for change (Comment added) made by garvinhicking
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=542822&aid=3228699&group_id=75065

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Plugins
Group: None
Resolution: None
Private: No
Submitted By: Janek Bevendorff (manko10)
Summary: Textile plugin: HTML entities in pre-formatted text

Initial Comment:
When using the Textile markup plugin, HTML special characters (<, >, &) are turned into HTML entities (&lt;, &gt;, &amp;), which is right, but if used inside pre text, those entities are then escaped again (&amp;lt;, &amp;gt;, &amp;amp;)

For instance:
pre. Foobar > 1

becomes

<pre>Foobar &amp;gt; 1</pre>

But instead it should just be <pre>Foobar &gt; 1</pre> so that the browser renders a greater than symbol.
The Plugin "Transforms for HTML plugins" is of course the first markup plugin in the list, but the issue also occurs without it.

----------------------------------------------------------------------
Date: 2011-03-20 18:38

Message:
Hi!

Thanks for reporting. Can you state your s9y version, and which exact
event plugins you have installed - I believe this would be caused by markup
plugins being applied after textile.

"Transforms for HTML plugins" is not a plugin I recognize...?

Regards,
Garvin

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=542822&aid=3228699&group_id=75065

Bugs item #3228699, was opened at 2011-03-20 12:27
Message generated for change (Comment added) made by manko10
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=542822&aid=3228699&group_id=75065

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Plugins
Group: None
Resolution: None
Priority: 3
Private: No
Submitted By: Janek Bevendorff (manko10)
Assigned to: Garvin Hicking (garvinhicking)
Summary: Textile plugin: HTML entities in pre-formatted text

Initial Comment:
When using the Textile markup plugin, HTML special characters (<, >, &) are turned into HTML entities (&lt;, &gt;, &amp;), which is right, but if used inside pre text, those entities are then escaped again (&amp;lt;, &amp;gt;, &amp;amp;)

For instance:
pre. Foobar > 1

becomes

<pre>Foobar &amp;gt; 1</pre>

But instead it should just be <pre>Foobar &gt; 1</pre> so that the browser renders a greater than symbol.
The Plugin "Transforms for HTML plugins" is of course the first markup plugin in the list, but the issue also occurs without it.

----------------------------------------------------------------------
Date: 2011-03-20 21:01

Message:
It shouldn't be a conflict with following markup plugins as it also happens
when I have disabled all other event plugins. And of course I meant
"Transforms HTML for comments", not "Transforms for HTML plugins". For
whatever reason I wrote that. :-)

My event plugins are in order:

Spartacus
Transforms HTML for comments
Markup: TextileMarkup: Emoticate
Statistics
Sitemap Generator (for Crawlers)
ContactForm
Avatar Plugin
Spam Protector
HTML META-Tags
Static Pages
Tagging of entries
Microblogging (Twitter, Identica)
Announce entries
Extended properties for entries

----------------------------------------------------------------------

Comment By: Garvin Hicking (garvinhicking)
Date: 2011-03-20 19:38

Message:
Hi!

Thanks for reporting. Can you state your s9y version, and which exact
event plugins you have installed - I believe this would be caused by markup
plugins being applied after textile.

"Transforms for HTML plugins" is not a plugin I recognize...?

Regards,
Garvin

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=542822&aid=3228699&group_id=75065

Bugs item #3228699, was opened at 2011-03-20 12:27
Message generated for change (Comment added) made by manko10
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=542822&aid=3228699&group_id=75065

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Plugins
Group: None
Status: Open
Resolution: None
Priority: 3
Private: No
Submitted By: Janek Bevendorff (manko10)
Assigned to: Garvin Hicking (garvinhicking)
Summary: Textile plugin: HTML entities in pre-formatted text

Initial Comment:
When using the Textile markup plugin, HTML special characters (<, >, &) are turned into HTML entities (&lt;, &gt;, &amp;), which is right, but if used inside pre text, those entities are then escaped again (&amp;lt;, &amp;gt;, &amp;amp;)

For instance:
pre. Foobar > 1

becomes

<pre>Foobar &amp;gt; 1</pre>

But instead it should just be <pre>Foobar &gt; 1</pre> so that the browser renders a greater than symbol.
The Plugin "Transforms for HTML plugins" is of course the first markup plugin in the list, but the issue also occurs without it.

----------------------------------------------------------------------

Comment By: Janek Bevendorff (manko10)
Date: 2011-03-20 21:06

Message:
For reference: here is an example comment:
http://www.refining-linux.org/archives/28/21-The-command-line-calculator-bc/#c183

And this is the raw data of the code section:

pre. define trunc(x) {
auto os,s;
os=scale-5
if(scale>=A){
scale-=4
s=1;if(x<0)s=-1
x+=s*A^-scale
scale-=1;x/=1
}
for(scale=0;scale<=os;scale++)if(x==x/1){x/=1;break}
scale=os+5;return(x)
}

----------------------------------------------------------------------

Comment By: Janek Bevendorff (manko10)
Date: 2011-03-20 21:01

Message:
It shouldn't be a conflict with following markup plugins as it also happens
when I have disabled all other event plugins. And of course I meant
"Transforms HTML for comments", not "Transforms for HTML plugins". For
whatever reason I wrote that. :-)

My event plugins are in order:

Spartacus
Transforms HTML for comments
Markup: TextileMarkup: Emoticate
Statistics
Sitemap Generator (for Crawlers)
ContactForm
Avatar Plugin
Spam Protector
HTML META-Tags
Static Pages
Tagging of entries
Microblogging (Twitter, Identica)
Announce entries
Extended properties for entries

----------------------------------------------------------------------

Comment By: Garvin Hicking (garvinhicking)
Date: 2011-03-20 19:38

Message:
Hi!

Thanks for reporting. Can you state your s9y version, and which exact
event plugins you have installed - I believe this would be caused by markup
plugins being applied after textile.

"Transforms for HTML plugins" is not a plugin I recognize...?

Regards,
Garvin

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=542822&aid=3228699&group_id=75065

Bugs item #3228699, was opened at 2011-03-20 11:27
Message generated for change (Comment added) made by garvinhicking
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=542822&aid=3228699&group_id=75065

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Plugins
Group: None
Status: Open
Resolution: None
Priority: 3
Private: No
Submitted By: Janek Bevendorff (manko10)
Assigned to: Garvin Hicking (garvinhicking)
Summary: Textile plugin: HTML entities in pre-formatted text

Initial Comment:
When using the Textile markup plugin, HTML special characters (<, >, &) are turned into HTML entities (&lt;, &gt;, &amp;), which is right, but if used inside pre text, those entities are then escaped again (&amp;lt;, &amp;gt;, &amp;amp;)

For instance:
pre. Foobar > 1

becomes

<pre>Foobar &amp;gt; 1</pre>

But instead it should just be <pre>Foobar &gt; 1</pre> so that the browser renders a greater than symbol.
The Plugin "Transforms for HTML plugins" is of course the first markup plugin in the list, but the issue also occurs without it.

----------------------------------------------------------------------
Date: 2011-03-20 21:40

Message:
Hi!

Ah! You're referring to blog COMMENTS, not entries. This is a very
different matter.

For security reasons, all comments get htmlspecialchar()ed. Since the
textile does this already as well, it will get double encoded. I don'T
really know how to circumvent that, we would need to not use
htmlspecialchars then, but for people who wouldn't use textile markup this
would mean they could XSS your blog through comments.

I'm afraid this might be a conceptual problem together with a foreign
markup plugin that I don't know how to best solve. Maybe using bbcode
[code] would work for those people as well? This would not result in double
encoding, because bbcode wouldn't use htmlspecialchars on its own...

----------------------------------------------------------------------

Comment By: Janek Bevendorff (manko10)
Date: 2011-03-20 20:06

Message:
For reference: here is an example comment:
http://www.refining-linux.org/archives/28/21-The-command-line-calculator-bc/#c183

And this is the raw data of the code section:

pre. define trunc(x) {
auto os,s;
os=scale-5
if(scale>=A){
scale-=4
s=1;if(x<0)s=-1
x+=s*A^-scale
scale-=1;x/=1
}
for(scale=0;scale<=os;scale++)if(x==x/1){x/=1;break}
scale=os+5;return(x)
}

----------------------------------------------------------------------

Comment By: Janek Bevendorff (manko10)
Date: 2011-03-20 20:01

Message:
It shouldn't be a conflict with following markup plugins as it also happens
when I have disabled all other event plugins. And of course I meant
"Transforms HTML for comments", not "Transforms for HTML plugins". For
whatever reason I wrote that. :-)

My event plugins are in order:

Spartacus
Transforms HTML for comments
Markup: TextileMarkup: Emoticate
Statistics
Sitemap Generator (for Crawlers)
ContactForm
Avatar Plugin
Spam Protector
HTML META-Tags
Static Pages
Tagging of entries
Microblogging (Twitter, Identica)
Announce entries
Extended properties for entries

----------------------------------------------------------------------

Comment By: Garvin Hicking (garvinhicking)
Date: 2011-03-20 18:38

Message:
Hi!

Thanks for reporting. Can you state your s9y version, and which exact
event plugins you have installed - I believe this would be caused by markup
plugins being applied after textile.

"Transforms for HTML plugins" is not a plugin I recognize...?

Regards,
Garvin

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=542822&aid=3228699&group_id=75065

Bugs item #3228699, was opened at 2011-03-20 12:27
Message generated for change (Comment added) made by manko10
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=542822&aid=3228699&group_id=75065

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Plugins
Group: None
Status: Open
Resolution: None
Priority: 3
Private: No
Submitted By: Janek Bevendorff (manko10)
Assigned to: Garvin Hicking (garvinhicking)
Summary: Textile plugin: HTML entities in pre-formatted text

Initial Comment:
When using the Textile markup plugin, HTML special characters (<, >, &) are turned into HTML entities (&lt;, &gt;, &amp;), which is right, but if used inside pre text, those entities are then escaped again (&amp;lt;, &amp;gt;, &amp;amp;)

For instance:
pre. Foobar > 1

becomes

<pre>Foobar &amp;gt; 1</pre>

But instead it should just be <pre>Foobar &gt; 1</pre> so that the browser renders a greater than symbol.
The Plugin "Transforms for HTML plugins" is of course the first markup plugin in the list, but the issue also occurs without it.

----------------------------------------------------------------------
Date: 2011-03-21 22:36

Message:
This problem should not be insolvable since it doesn't appear in comments
in general but only in pre text.
So when I just write

<, > &

everything is fine, but if I write

pre. <, >, &

The entities are double escaped. Therefore I guess you have
htmlspecialchars() twice in your code.

----------------------------------------------------------------------

Comment By: Garvin Hicking (garvinhicking)
Date: 2011-03-20 22:40

Message:
Hi!

Ah! You're referring to blog COMMENTS, not entries. This is a very
different matter.

For security reasons, all comments get htmlspecialchar()ed. Since the
textile does this already as well, it will get double encoded. I don'T
really know how to circumvent that, we would need to not use
htmlspecialchars then, but for people who wouldn't use textile markup this
would mean they could XSS your blog through comments.

I'm afraid this might be a conceptual problem together with a foreign
markup plugin that I don't know how to best solve. Maybe using bbcode
[code] would work for those people as well? This would not result in double
encoding, because bbcode wouldn't use htmlspecialchars on its own...

----------------------------------------------------------------------

Comment By: Janek Bevendorff (manko10)
Date: 2011-03-20 21:06

Message:
For reference: here is an example comment:
http://www.refining-linux.org/archives/28/21-The-command-line-calculator-bc/#c183

And this is the raw data of the code section:

pre. define trunc(x) {
auto os,s;
os=scale-5
if(scale>=A){
scale-=4
s=1;if(x<0)s=-1
x+=s*A^-scale
scale-=1;x/=1
}
for(scale=0;scale<=os;scale++)if(x==x/1){x/=1;break}
scale=os+5;return(x)
}

----------------------------------------------------------------------

Comment By: Janek Bevendorff (manko10)
Date: 2011-03-20 21:01

Message:
It shouldn't be a conflict with following markup plugins as it also happens
when I have disabled all other event plugins. And of course I meant
"Transforms HTML for comments", not "Transforms for HTML plugins". For
whatever reason I wrote that. :-)

My event plugins are in order:

Spartacus
Transforms HTML for comments
Markup: TextileMarkup: Emoticate
Statistics
Sitemap Generator (for Crawlers)
ContactForm
Avatar Plugin
Spam Protector
HTML META-Tags
Static Pages
Tagging of entries
Microblogging (Twitter, Identica)
Announce entries
Extended properties for entries

----------------------------------------------------------------------

Comment By: Garvin Hicking (garvinhicking)
Date: 2011-03-20 19:38

Message:
Hi!

Thanks for reporting. Can you state your s9y version, and which exact
event plugins you have installed - I believe this would be caused by markup
plugins being applied after textile.

"Transforms for HTML plugins" is not a plugin I recognize...?

Regards,
Garvin

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=542822&aid=3228699&group_id=75065

Bugs item #3228699, was opened at 2011-03-20 11:27
Message generated for change (Comment added) made by garvinhicking
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=542822&aid=3228699&group_id=75065

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Plugins
Group: None
Status: Open
Resolution: None
Priority: 3
Private: No
Submitted By: Janek Bevendorff (manko10)
Assigned to: Garvin Hicking (garvinhicking)
Summary: Textile plugin: HTML entities in pre-formatted text

Initial Comment:
When using the Textile markup plugin, HTML special characters (<, >, &) are turned into HTML entities (&lt;, &gt;, &amp;), which is right, but if used inside pre text, those entities are then escaped again (&amp;lt;, &amp;gt;, &amp;amp;)

For instance:
pre. Foobar > 1

becomes

<pre>Foobar &amp;gt; 1</pre>

But instead it should just be <pre>Foobar &gt; 1</pre> so that the browser renders a greater than symbol.
The Plugin "Transforms for HTML plugins" is of course the first markup plugin in the list, but the issue also occurs without it.

----------------------------------------------------------------------
Date: 2011-03-22 08:42

Message:
Hi!

The "problem" is: Everything that textile passes to a comment gets
htmlspecialchar()ed. Textile doesn't do any encoding by default, but in a
.pre context it does.

So we would need to remove the htmnlspecialchar()ing inside the textile
class for pre. coding, but then this would mean that it wouldn't behave
like textile anymore.

Did you try to move the "Transofrm HTML for comment" AFTER the textile
plugin, or disable it, to see if that might properly recode the entities?
The only good way that comes to my mind is to enhance the transform-html
plugin to remove a duplicate encoding by replacing &amp;blabla; to &blabla;
again?

Regards,
Garvin


----------------------------------------------------------------------

Comment By: Janek Bevendorff (manko10)
Date: 2011-03-21 21:36

Message:
This problem should not be insolvable since it doesn't appear in comments
in general but only in pre text.
So when I just write

<, > &

everything is fine, but if I write

pre. <, >, &

The entities are double escaped. Therefore I guess you have
htmlspecialchars() twice in your code.

----------------------------------------------------------------------

Comment By: Garvin Hicking (garvinhicking)
Date: 2011-03-20 21:40

Message:
Hi!

Ah! You're referring to blog COMMENTS, not entries. This is a very
different matter.

For security reasons, all comments get htmlspecialchar()ed. Since the
textile does this already as well, it will get double encoded. I don'T
really know how to circumvent that, we would need to not use
htmlspecialchars then, but for people who wouldn't use textile markup this
would mean they could XSS your blog through comments.

I'm afraid this might be a conceptual problem together with a foreign
markup plugin that I don't know how to best solve. Maybe using bbcode
[code] would work for those people as well? This would not result in double
encoding, because bbcode wouldn't use htmlspecialchars on its own...

----------------------------------------------------------------------

Comment By: Janek Bevendorff (manko10)
Date: 2011-03-20 20:06

Message:
For reference: here is an example comment:
http://www.refining-linux.org/archives/28/21-The-command-line-calculator-bc/#c183

And this is the raw data of the code section:

pre. define trunc(x) {
auto os,s;
os=scale-5
if(scale>=A){
scale-=4
s=1;if(x<0)s=-1
x+=s*A^-scale
scale-=1;x/=1
}
for(scale=0;scale<=os;scale++)if(x==x/1){x/=1;break}
scale=os+5;return(x)
}

----------------------------------------------------------------------

Comment By: Janek Bevendorff (manko10)
Date: 2011-03-20 20:01

Message:
It shouldn't be a conflict with following markup plugins as it also happens
when I have disabled all other event plugins. And of course I meant
"Transforms HTML for comments", not "Transforms for HTML plugins". For
whatever reason I wrote that. :-)

My event plugins are in order:

Spartacus
Transforms HTML for comments
Markup: TextileMarkup: Emoticate
Statistics
Sitemap Generator (for Crawlers)
ContactForm
Avatar Plugin
Spam Protector
HTML META-Tags
Static Pages
Tagging of entries
Microblogging (Twitter, Identica)
Announce entries
Extended properties for entries

----------------------------------------------------------------------

Comment By: Garvin Hicking (garvinhicking)
Date: 2011-03-20 18:38

Message:
Hi!

Thanks for reporting. Can you state your s9y version, and which exact
event plugins you have installed - I believe this would be caused by markup
plugins being applied after textile.

"Transforms for HTML plugins" is not a plugin I recognize...?

Regards,
Garvin

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=542822&aid=3228699&group_id=75065