- From: <bugzilla@jessica.w3.org>
- Date: Sun, 13 Oct 2013 11:05:33 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=12235 --- Comment #20 from Aryeh Gregor <ayg@aryeh.name> --- (In reply to Carl Smith from comment #17) > The output must be converted to HTML, which involves preserving all > whitespace, including tabs (think `ls -la`). > > Converting every space to and every new line to <br> and then > converting tabs into HTML tables, doesn't actually cover all the edge cases, > and it takes ages, and roughly doubles the size of the output. You want to escape only < and &, as < and & respectively, and wrap in <pre>. This should only increase the size of the output slightly, unless you have an extremely large number of < or &. (What does "it takes ages" mean?) > output = '<xmp>'+output+'</xmp>'; // works perfectly Only until your output happens to contain the string "</xmp>" (or any equivalent). Then it will break. If your application accepts untrusted input, moreover, you've created a very easily exploitable XSS vulnerability. > It's been pointed out that there are ways to hack the same effect by > combining a bunch of other tags, but is that really what we want in HTML5? Yes, this is the normal way to do things in web programming. <xmp> doesn't really help much, because as soon as "</xmp>" occurs your solution breaks and you have to fall back to <pre> and escaping anyway. <xmp> is mostly only useful for hand-authoring. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Sunday, 13 October 2013 11:05:36 UTC