Bug #258

Inline RDF description not escaped

Added by bcrow - 1195 days ago. Updated 292 days ago.

Status :Closed Start :
Priority :Normal Due date :
Assigned to :tobi - % Done :

0%
Category :frontend
Target version :-
Resolution :

fixed

Description

A post with quotation marks will not be escaped in the embedded RDF of a page. For example, the following post:


"Didn't want to go, didn't want to stay, didn't want to lie by my side; I don't really care, 'cause I'll still be there swallowing my pride -- someday, I'm gonna be there." Indeed.

will result in the following inline RDF:

    <!--
  <rdf:Description
      rdf:about="" 
      trackback:ping="http://example.com/articles/trackback/63" 
      dc:title="Someday" 
      dc:identifier="http://example.com/articles/read/63" 
      dc:description=""Didn't want to go, didn't want to stay, didn't want to lie by my side; I don't really care, 'cause I'll still be there swallowing my pride -- someday, I'm gonna be there." Indeed." 
      dc:creator="Basil Crow" 
      dc:date="2005-05-01T16:56:38+00:00" />
  </rdf:RDF>
  -->

The lack of escaping causes the browser to parse incorrectly, for example, Firefox gets confused and ends up displaying the last "-->" in the browser.

Associated revisions

Revision 480
Added by scott 1102 days ago

Make static search page HTML match normal pages; fix excess debugging code left from earlier commit. (closes #258)

Revision 513
Added by Caged 1096 days ago

Fixed css validity issues with azure (Closes #258)

History

05/01/2005 08:53 PM - scoop -

  • Status changed from New to Closed
  • Resolution set to fixed

(In r261) Added proper entity quoting to dc:description excerpt in article partial (fixes #88)

05/01/2005 10:14 PM - bcrow -

  • Status changed from Closed to Feedback
  • Resolution deleted (fixed)

Same thing still happens for dc:title -- maybe apply the same fix as for the description?

05/02/2005 05:31 AM - scoop -

  • Status changed from Feedback to Closed
  • Resolution set to fixed

(In r262) Added proper entity quoting to dc:title in article partial (fixes #88 - again)

05/03/2005 05:06 PM - ravenlock-true-evil-net -

  • Status changed from Closed to Feedback
  • Resolution deleted (fixed)

Quotes are not the only thing. Two consequent dashes ("--") are (correctly) interpreted by standards-compliant browsers as end of comment, so a post like in the example above will end up displaying the "-->" after the closing rdf tag.

05/04/2005 10:35 AM - ravenlock-true-evil-net -

As a matter of fact, the quotes should make little or no difference to user-agents since the content is commented out anyway, it's the double dash that's the true culprit. Quotes would, however, cause trouble for feed readers, I imagine.

05/04/2005 07:35 PM - ravenlock-true-evil-net -

Since I'm not too well versed in Ruby yet I'm assuming this is not really the best one could come up with, but here's a quick and dirty fix:

in app/views/articles/_article.rhtml change

strip_html(article.body_html[0..255])

into

strip_html(article.body_html[0..255]).gsub(/--/, '—')

which turns double dashes into em-dashes (which is the character entity closest to a double dash IMO) and it's valid XML too (although how readers display it is beyond me). HTH.

05/05/2005 05:25 AM - ravenlock-true-evil-net -

Sorry for spamming, but the replacement character is supposed to be 
#!html
&amp;#151;

05/05/2005 08:14 AM - scoop -

  • Status changed from Feedback to Closed
  • Resolution set to fixed

I don't see a "-->" rendered in any of the browsers I tested. Grepping through the XHTML spec didn't reveal any hint at "--" closing off a comment either. Please supply any pointers to a referring passage in the spec and reopen this ticket.

Additionally, your proposed fix results in double escaping of the ampersand of the entitiy which doesn't reallly make sense either.

Gosh, and all this for tags that are barely used anyways :)

05/05/2005 07:58 PM - ravenlock-true-evil-net -

Hehe, blunders all the way. Such is the way of newbies. I brought this up because the first post I made with typo (2.0.6) resulted in the "-->" :)

I'm having some trouble with the way Trac is escaping my entities, what I meant was the xml character entity 151 (ampersand-pound-151-semicolon), but I'll give up any further attempts to make Trac see it the way I do :)

http://www.w3.org/MarkUp/html-spec/html-spec_3.html#SEC3.2.5
It's an old spec but the way Firefox hilighted the comments in the source viewer indicates to me that it's still the way comments are processed. Here's the relevant quote:

"A comment declaration consists of &lt;!' followed by zero or more comments followed by >'. Each comment starts with --' and includes all text up to and including the next occurrence of --'."

Hence a double dash in the RDF is interpreted as a comment delimiter, and the next @>' as the end character for that comment tag -- leaving the '-->' visible.

Any better? :)

05/05/2005 07:58 PM - anonymous -

  • Status changed from Closed to Feedback
  • Resolution deleted (fixed)

05/05/2005 08:23 PM - ravenlock-true-evil-net -

One more thing: sez the xml spec (http://www.w3.org/TR/REC-xml/#sec-comments), it's a SGML compatibility feature, and I quote: "the string "--" (double-hyphen) MUST NOT occur within comments.". HTH, sorry again for spamming :)

07/10/2005 04:19 PM - scoop -

  • Status changed from Feedback to Closed
  • Resolution set to fixed

Fixed in r302

10/21/2007 01:12 PM - john -

Test Trac email again. seduction pickup

Also available in: Atom PDF