XHTML, script, and escaping

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

XHTML, script, and escaping

NoSuchLuke
I'm starting to try out Thymeleaf, moving from JSP, and I'm super impressed! The quick response on forum queries and bug fixes is also great.

JSP, without watchful intervention, used to output stupid things like:
<script src="foo.js" />
<script>
var example = "Be careful of </script>!";
</script>
So I was pleased as spit to see Thymeleaf output:
<script src="foo.js"></script>
<script>
var example = "Be careful of <\/script>!";
</script>
For targeting HTML5, this is dandy. But I also tried serving it as XHTML (i.e., content-type: application/xhtml+xml). Of course, in my source I need something like:
<script inline="javascript">
/*<![CDATA[*/
var example = /*[[${example}]]*/ "";
/*]]>*/
</script>
And in Spring I set thymeleafViewResolver.contentType. I also tried changing templateResolver.templateMode (HTML5 vs. XHTML) but I'm not sure what that actually does. So, this works fine, until I play hardball and try setting setting the model variable as
example = "Be careful of </script> & ]]>!"
The embedded CDATA-end doesn't get escaped, and everything breaks. Am I missing anything, or is it a bug?
Reply | Threaded
Open this post in threaded view
|

Re: XHTML, script, and escaping

danielfernandez
Administrator

Good catch!

From what I could investigate, this is not a problem in current versions of most browsers (I've tested Firefox, Chrome, Opera and IE9), but it seems that IE7 and IE8 don't live too well with that ]]> living inside a CDATA section.

I've devised a solution for this and wrote about it at this new ticket: https://github.com/thymeleaf/thymeleaf/issues/61

I'm pretty sure this is a good solution, so unless you have something very bad to say about it it will be implemented and will go into 2.0.12.

Regards, and thanks.

Daniel.


Reply | Threaded
Open this post in threaded view
|

Re: XHTML, script, and escaping

NoSuchLuke
Hmm, the problem in XHTML is pretty clear, but I never even thought about browsers dealing with CDATA in HTML, if that's what you mean.

I was wondering if this could be a problem anywhere else, since a CDATA could be used anywhere (pre?), but AFAIK this is the only situation where Thymeleaf tinkers with text rather than replacing it outright.

Yes, it seems "]]>" and "</" both need to be escaped within a script block (or likewise a style block), and off hand I can't think of any valid use of them outside a string literal. So why not just do the escaping as "]]\>"?
Reply | Threaded
Open this post in threaded view
|

Re: XHTML, script, and escaping

danielfernandez
Administrator
NoSuchLuke wrote
Hmm, the problem in XHTML is pretty clear, but I never even thought about browsers dealing with CDATA in HTML, if that's what you mean.
Actually, I meant "]]>" inside a JavaScript fragment but outside a JavaScript string literal.

NoSuchLuke wrote
Yes, it seems "]]>" and "</" both need to be escaped within a script block (or likewise a style block), and off hand I can't think of any valid use of them outside a string literal. So why not just do the escaping as "]]\>"?
Yes, that should be perfectly correct. Somehow I felt more confident with string appending than with "\>" because ">" is not one of the characters that should be escaped in JS, so I wasn't sure every browser would recognize it. I've made some tests with current browser versions and it seems to work correctly, anyway... so I'll maybe go for the "/>" instead. I'll try to look for more information about this.

Thanks,
Daniel.