ooopppss [Re: Problem with SSI in form elements] from Sebastian Lange on 2000-08-25 (html-tidy@w3.org from July to September 2000)

From: Sebastian Lange <lange@cyperfection.de>
Date: Fri, 25 Aug 2000 10:02:00 +0200
To: html-tidy@w3.org
Message-Id: <4.3.2.7.2.20000825095444.01b03b48@pop3.cyperfection.de>

oppsss... I just realized that I missed the exclamation marks.. sorry for 
that... here's the corrected code:

$to_be_tidied_data = "content of file to be tidied";
# replace all <!--#...--> blocks with a placeholder string
my @SSIStack;
my $SSIBlock;
my $i = 0;
while ($to_be_tidied_data =~ m/(<!--\#.*?-->)/gsi) {
   $SSIStack[$i] = defined($1) ? $1 : "";
   $to_be_tidied_data =~ s/<!--\#.*?-->/SSIStackPlaceHolder\[$i\]/si;
   $i++;
}


$tidied_data = &tidy($to_be_tidied_data);

# replace all placeholder strings with the corresponding <!--#...-->
for ($i=0; $i <= scalar @SSIStack; $i++) {
   $tidied_data =~ s/SSIStackPlaceHolder\[$i\]/$SSIStack[$i]/s;
}


At 15:19 25.08.2000 +1200, Richard A. O'Keefe wrote:
>         If you use SSI in form elements like this:
>
>         <input type="text" name="referer"
>                value="<!--#echo var="HTTP_REFERER"-->" />
>
> >From the /> at the end, I see this is XHTML.
>Looking in the XML 1.0 spec (actually the latest revised draft),
>we find in section 2.3 that
>
>[10] AttValue ::= '"' ([^<&"] | Reference)* '"'
>                |  "'" ([^<&'] | Reference)* "'"
>
>That is, within an attribute value,
>     ampersand is reserved for introducing character/entity references,
>     the quotation mark you started with is forbidden, and
>     THE LESS THAN SIGN IS NOT AT ALL ALLOWED.
>
>I don't really see the point in this restriction.  After all, we're
>talking about the inside of a string, and there is nothing else that
>less than could mean there.  Perhaps it was precisely so that people
>*could* write stuff like this.
>
>What's more, if we look at it, what we see is
>
>         [value] [=] ["<!--#echo var="] [HTTP_REFERER] ["-->"]
>
>which would not be syntactically legal XHTML even if XML *did*
>allow less than signs inside attribute values, because it would
>be two attribute bindings, one of them missing an equal sign.
>
>Would it be possible to change this to
>
>         value='<!--#echo var="#HTTP_REFERER"-->'
>
>where the quotation marks are different?

--
Sebastian Lange
http://www.sl-chat.de/
Maybe the first chat site that validates as HTML
4.0 even though user input may contain HTML codes.

Courtesy to Dave Raggett's HTML Tidy:
http://www.w3.org/People/Raggett/tidy/

Tidy your documents ONLINE:
http://www.sl-chat.de/Tidy/

Received on Friday, 25 August 2000 04:04:46 UTC