Item12659: NAMEFILTER setting in jQuery.extend causes invalid XHTML

I've noticed that the files generated on my site are not valid XML. This is not fatal, since they are shipped as text/html, not application/xhtml+xml, but as the header indicates the file as being XHTML, I still consider this rather bad form, since browsers might decide to try parsing things as XHTML.

The problem is the following:

<script type='text/javascript'>
jQuery.extend(foswiki, {
 "preferences": {
    …,
    "NAMEFILTER": "[\s\*?~^\$@%`\"'&;|<>\[\]#\x00-\x1f]"
}});
</script><!--JQUERYPLUGIN::FOSWIKI::PREFERENCES-->

The content of that script contains < and &, both of which are invalid in this form outside a CDATA section of an XML file.

Looking at the sources, JQueryPlugin/FOSWIKI.pm in particular, I see that it simply delegates encoding to the ENCODE macro, using type="quote". This obviously isn't up to the task. The right way, in my opinion, would be writing & and < as hexadecimal escape sequences, i.e. \x26 and \x3c. Having an encoding type which does this transformation, and perhaps also escapes backslashes along the way, would be useful for all situations where a string needs to be pasted into JavaScript embedded into XHTML.

-- MartinVonGagern - 20 Nov 2013

This regular expression is taken from the configuration. You should be able to fix this locally using bin/configure, changing the following:

From: $Foswiki::cfg{NameFilter} = '[\\s\\*?~^\\$@%`"\'&;|<>\\[\\]#\\x00-\\x1f]';
  To: $Foswiki::cfg{NameFilter} = '[\\s\\*?~^\\$@%`"\'\x26;|\x3c>\\[\\]#\\x00-\\x1f]';

It's accessible in the "Security and Authentication" page, Environment Tab, as an "Expert" setting.

-- GeorgeClark - 20 Nov 2013

This is what I did manually, except I doubled the \\ since otherwise perl will interpret them, and you are back to where you started. I tried to find the source of this line in a current svn checkout, and found a qr/…/ regular expression instead of the string constant. But it seems that core/lib/LocalSite.cfg where I found that wasn't even from svn, but a local edit. I guess I'll have to grab a new clean svn checkout one of these days. Or clean my existing one.

-- MartinVonGagern - 20 Nov 2013

lib/LocalSite.cfg is managed by the bin/configure tool. The default is found in lib/Foswiki.spec, but that is generally not referenced again once Foswiki is installed. The initial run of bin/configure uses Foswiki.spec to establish the default settings and saves them into the lib/LocalSite.cfg. Sorry that I missed that they had to be doubled. Obviously reading a bit further on the same line shows the doubled \ for other hex values.

-- GeorgeClark - 21 Nov 2013

This is a duplicate of Item12179

-- GeorgeClark - 24 May 2014

Commenting is disabled while not logged in