Details
-
Bug
-
Resolution: Fixed
-
Major
-
16.10.0
-
None
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
The output of $jsontool and $escapetool.javascript is frequently used in HTML macros. To prevent that their output could interfere with the closing of the surrounding HTML macro, both should escape {. This also prevents accidental escaping of such output with HTML escaping that would alter the meaning of the content.
Steps to reproduce:
Put one of the following two wiki syntaxes in a document:
{{velocity}}
{{html clean="false"}}
$jsontool.serialize('{{html}}')
{{/html}}
{{/velocity}}
{{velocity}}
{{html clean="false"}}
$escapetool.javascript('{{html}}')
{{/html}}
{{/velocity}}
Expected result:
The text
{{html}}
or
\u007B\u007Bhtml}}
(using JavaScript/JSON escaping for {) is displayed (in quotes for the json tool).
Actual result:
For the first version
"{{html}}" {{/html}}
is displayed, the second version produces
{{html}} {{/html}}
This shows that due to the extra opening HTML macro syntax, the parser considers the closing HTML macro syntax as content, leading to the unwanted output. This is in particular a problem when the printed text contains user-controlled strings. Both tools already escape "/" so their output cannot close the HTML macro.