W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > October 2013

[Bug 12235] Make <xmp> conforming

From: <bugzilla@jessica.w3.org>
Date: Sun, 13 Oct 2013 11:05:33 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-12235-2486-zHDAjrGPDd@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=12235

--- Comment #20 from Aryeh Gregor <ayg@aryeh.name> ---
(In reply to Carl Smith from comment #17)
> The output must be converted to HTML, which involves preserving all
> whitespace, including tabs (think `ls -la`).
> 
> Converting every space to &nbsp; and every new line to <br> and then
> converting tabs into HTML tables, doesn't actually cover all the edge cases,
> and it takes ages, and roughly doubles the size of the output.

You want to escape only < and &, as &lt; and &amp; respectively, and wrap in
<pre>.  This should only increase the size of the output slightly, unless you
have an extremely large number of < or &.

(What does "it takes ages" mean?)

> output = '<xmp>'+output+'</xmp>'; // works perfectly

Only until your output happens to contain the string "</xmp>" (or any
equivalent).  Then it will break.  If your application accepts untrusted input,
moreover, you've created a very easily exploitable XSS vulnerability.

> It's been pointed out that there are ways to hack the same effect by
> combining a bunch of other tags, but is that really what we want in HTML5?

Yes, this is the normal way to do things in web programming.  <xmp> doesn't
really help much, because as soon as "</xmp>" occurs your solution breaks and
you have to fall back to <pre> and escaping anyway.  <xmp> is mostly only
useful for hand-authoring.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
Received on Sunday, 13 October 2013 11:05:36 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:44 UTC