Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not escape comments #110

Merged
merged 2 commits into from
Apr 6, 2016
Merged

Do not escape comments #110

merged 2 commits into from
Apr 6, 2016

Conversation

Drup
Copy link
Member

@Drup Drup commented Apr 2, 2016

See #90
This is only a simplistic fix (and it adds re as a dep of the functor part, which is annoying).

aantron
aantron reviewed Apr 2, 2016
View reviewed changes
lib/xml_print.ml

let re_end_comment = Re.(compile @@ str "-->")
let escape_comment =
Re.replace_string ~all:true re_end_comment ~by:"-->"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In HTML (and IIRC XML), even -- is not allowed in comments, so it may be more sensible to replace -+ (as a regexp) with -. Also, the replacement > doesn't have any special meaning in comments.

@aantron
Copy link
Contributor

aantron commented Apr 2, 2016

Actually, in HTML5, <!--> is unfortunately a comment as well, so you need to avoid payloads beginning >. My commit comment is not sufficient to deal with this. Anyway, HTML is a giant mess and I need to take a break, but if you ignore this issue for a few hours, I will come back with some recommendation and a list of what things to watch out for, based on the comment parsing rules in the HTML spec.

@aantron
Copy link
Contributor

aantron commented Apr 3, 2016

Ok, here are all the cases for a comment ending "prematurely":

  1. the comment data starts with >,
  2. the comment data starts with ->,
  3. the comment data contains '-->',
  4. the comment data contains '--!>'.

Only (3) represents a valid comment terminator, but recovering parsers (such as in browsers) are required to end the comment in all of these situations.

(4) is a bit irregular: comment data can start with !> or -!> without triggering a premature comment end.

Probably, replacing > with &gt; in each of these cases is the best approach. It applies systematically, and is pretty easy to reason about since &gt; doesn't contain -, !, >.

@Drup
Copy link
Member Author

Drup commented Apr 5, 2016

@aantron Thanks a lot, I modified the code to handle all the cases.

@aantron
Copy link
Contributor

aantron commented Apr 5, 2016

👍 LGTM

@aantron
Copy link
Contributor

aantron commented Apr 5, 2016

I should qualify that – I looked at the comments. The XML declaration and DOCTYPE output code does look a bit sketchy, depending on where the arguments can come from.

@Drup
Copy link
Member Author

Drup commented Apr 6, 2016

The XML declaration and DOCTYPE output code does look a bit sketchy, depending on where the arguments can come from.

I doubt people will have user input ending up there.

@Drup Drup merged commit 35b8258 into master Apr 6, 2016
@Drup Drup deleted the noescape branch April 6, 2016 21:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Drup @aantron