Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
16.10.0
-
None
-
Unknown
-
Description
The output of $jsontool and $escapetool.javascript is frequently used in HTML macros. To prevent that their output could interfere with the closing of the surrounding HTML macro, both should escape {. This also prevents accidental escaping of such output with HTML escaping that would alter the meaning of the content.
Steps to reproduce:
Put one of the following two wiki syntaxes in a document:
{{velocity}} {{html clean="false"}} $jsontool.serialize('{{html}}') {{/html}} {{/velocity}}
{{velocity}} {{html clean="false"}} $escapetool.javascript('{{html}}') {{/html}} {{/velocity}}
Expected result:
The text
{{html}}
is displayed (in quotes for the json tool).
Actual result:
For the first version
"{{html}}" {{/html}}
is displayed, the second version produces
{{html}} {{/html}}
This shows that due to the extra opening HTML macro syntax, the parser considers the closing HTML macro syntax as content, leading to the unwanted output. This is in particular a problem when the printed text contains user-controlled strings. Both tools already escape "/" so their output cannot close the HTML macro.