Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork32k
gh-69426: only unescape properly terminated character entities in attribute values#95215
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
gh-69426: only unescape properly terminated character entities in attribute values#95215
Uh oh!
There was an error while loading.Please reload this page.
Conversation
…in attribute values
ghost commentedJul 24, 2022 • edited by ghost
Loading Uh oh!
There was an error while loading.Please reload this page.
edited by ghost
Uh oh!
There was an error while loading.Please reload this page.
All commit authors signed the Contributor License Agreement. |
Lib/html/parser.py Outdated
| @@ -57,6 +58,26 @@ | |||
| # </ and the tag name, so maybe this should be fixed | |||
| endtagfind = re.compile(r'</\s*([a-zA-Z][-.a-zA-Z0-9:_]*)\s*>') | |||
| # Character reference processing logic specific to attribute values | |||
| # See: https://html.spec.whatwg.org/multipage/parsing.html#named-character-reference-state | |||
| attr_charref = re.compile(r'&(#[0-9]+|#[xX][0-9a-fA-F]+|[a-zA-Z][a-zA-Z0-9]*)[;=]?') | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This partially duplicates an existing Regex, but I was not able to reuse the existing one for this purpose.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Since the issue only seems to affect named character references, is there a reason to include numeric charrefs too in this regex?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Yes, the new_unescape_attrvalue is effectively a wrapper forhtml.escape that only delegates tohtml.escape if the attribute specific conditions are met. Since we still want to escape numeric and hex char refs in attributes, we need to include them in the regex.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
It would be better to move this immediately after the definition ofentityref andcharref. If we change one regexp, we will not forget to change the other.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Done
Lib/test/test_htmlparser.py Outdated
| expected = [('starttag', 'a', [('href', 'foo"zar')]), | ||
| expected = [('starttag', 'a', [('href', 'foo "zar')]), | ||
| ('data', 'a"z'), ('endtag', 'a')] | ||
| for charref in charrefs: | ||
| self._run_check('<a href="foo{0}zar">a{0}z</a>'.format(charref), | ||
| self._run_check('<a href="foo{0}zar">a{0}z</a>'.format(charref), | ||
| expected, collector=collector()) | ||
| # check charrefs at the beginning/end of the text/attributes | ||
| # check charrefs at the beginning/end of the text | ||
| expected = [('data', '"'), | ||
| ('starttag', 'a', [('x', '"'), ('y', '"X'), ('z', 'X"')]), | ||
| ('starttag', 'a', []), | ||
| ('data', '"'), ('endtag', 'a'), ('data', '"')] | ||
| for charref in charrefs: | ||
| self._run_check('{0}<a x="{0}" y="{0}X" z="X{0}">' | ||
| self._run_check('{0}<a>' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Changed the existing tests to remove flawed assumptions about how the unescaping in attribute values should work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
It might be better to remove all attribute-related checks from this test, and move them in the next.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Done
Lib/test/test_htmlparser.py Outdated
| # do unescape char refs at begging and end of text attributes | ||
| charrefs = ['"', '"', '"', '"', '"', '"'] | ||
| expected = [('starttag', 'a', [('x', '"'), ('y', '"-X'), ('z', 'X-"')]), ('endtag', 'a')] | ||
| for charref in charrefs: | ||
| self._run_check('<a x="{0}" y="{0}-X" z="X-{0}"></a>'.format(charref), | ||
| expected, collector=collector()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Extracted this fromtest_convert_charrefs
@ezio-melotti I see you are marked as code owner. Would there be any interest in moving ahead with this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Thanks for the PR!
I left a few inline comments, but if you prefer I could also make the suggested changes myself and push them to your branch.
Lib/html/parser.py Outdated
| @@ -57,6 +58,26 @@ | |||
| # </ and the tag name, so maybe this should be fixed | |||
| endtagfind = re.compile(r'</\s*([a-zA-Z][-.a-zA-Z0-9:_]*)\s*>') | |||
| # Character reference processing logic specific to attribute values | |||
| # See: https://html.spec.whatwg.org/multipage/parsing.html#named-character-reference-state | |||
| attr_charref = re.compile(r'&(#[0-9]+|#[xX][0-9a-fA-F]+|[a-zA-Z][a-zA-Z0-9]*)[;=]?') | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Since the issue only seems to affect named character references, is there a reason to include numeric charrefs too in this regex?
Lib/html/parser.py Outdated
| return ref | ||
| def unescape_attrvalue(s): | ||
| return attr_charref.sub(replace_attr_charref, s) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Both functions should be private, and their name prefixed by an_.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Done
Lib/html/parser.py Outdated
| def replace_attr_charref(match): | ||
| ref = match.group(0) | ||
| # Numeric / hex char refs must always be unescaped | ||
| if ref[1] == '#': |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| ifref[1]=='#': | |
| ifref.startswith('&#'): |
I think this is clearer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Done
Lib/html/parser.py Outdated
| return unescape(ref) | ||
| # Named character / entity references must only be unescaped | ||
| # if they are an exact match, and they are not followed by an equals sign | ||
| terminates_with_equals = ref[-1:] == '=' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| terminates_with_equals=ref[-1:]=='=' | |
| terminates_with_equals=ref.endswith('=') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Done
Lib/test/test_htmlparser.py Outdated
| expected = [('starttag', 'a', [('href', 'foo"zar')]), | ||
| expected = [('starttag', 'a', [('href', 'foo "zar')]), | ||
| ('data', 'a"z'), ('endtag', 'a')] | ||
| for charref in charrefs: | ||
| self._run_check('<a href="foo{0}zar">a{0}z</a>'.format(charref), | ||
| self._run_check('<a href="foo{0}zar">a{0}z</a>'.format(charref), | ||
| expected, collector=collector()) | ||
| # check charrefs at the beginning/end of the text/attributes | ||
| # check charrefs at the beginning/end of the text | ||
| expected = [('data', '"'), | ||
| ('starttag', 'a', [('x', '"'), ('y', '"X'), ('z', 'X"')]), | ||
| ('starttag', 'a', []), | ||
| ('data', '"'), ('endtag', 'a'), ('data', '"')] | ||
| for charref in charrefs: | ||
| self._run_check('{0}<a x="{0}" y="{0}X" z="X{0}">' | ||
| self._run_check('{0}<a>' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
It might be better to remove all attribute-related checks from this test, and move them in the next.
Lib/test/test_htmlparser.py Outdated
| expected = [('starttag', 'a', | ||
| [('href', 'https://example.com?foo¢=123')]), | ||
| ('endtag', 'a')] | ||
| self._run_check('<a href="https://example.com?foo¢=123"></a>', expected, collector=collector()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
If possible, it would be better to match the style of the previous test, creating different lists of charrefs (e.g. valid, invalid, named, numeric, etc.) and add them in different places in the attribute (beginning, end, before an alnum/space/semicolon/equal).
Also try to keep the lines shorter than 80 chars (you can remove the initial part of the URLs, since they are not necessary).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Thanks, looking at it combining multiple cases in a single attribute is indeed hard to read. I restructured the test to have two scenarios:
- terminated entity, numeric and hex char refs
- unterminated entity char refs
Both include cases for start, middle, end, as well as followed by alphanumeric, non-alphanumeric and equals sign. I hope it's a bit clearer now.
Also updated formatting to respect the 80 char limit.
Thanks for taking the time to review@ezio-melotti . I have addressed all comments. Could you please take another look when you find some time? |
kurtqq commentedJun 15, 2023
ping@ezio-melotti on this one would be nice to get it fixed |
Lib/html/parser.py Outdated
| @@ -57,6 +58,26 @@ | |||
| # </ and the tag name, so maybe this should be fixed | |||
| endtagfind = re.compile(r'</\s*([a-zA-Z][-.a-zA-Z0-9:_]*)\s*>') | |||
| # Character reference processing logic specific to attribute values | |||
| # See: https://html.spec.whatwg.org/multipage/parsing.html#named-character-reference-state | |||
| attr_charref = re.compile(r'&(#[0-9]+|#[xX][0-9a-fA-F]+|[a-zA-Z][a-zA-Z0-9]*)[;=]?') | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
It would be better to move this immediately after the definition ofentityref andcharref. If we change one regexp, we will not forget to change the other.
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
LGTM. 👍
Thank you for your contribution,@sissbruecker.
| @@ -23,6 +24,7 @@ | |||
| entityref = re.compile('&([a-zA-Z][-.a-zA-Z0-9]*)[^a-zA-Z0-9]') | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I wonder why there are. and- symbols in the name here? It may not be related to this issue.
77b14a6 intopython:mainUh oh!
There was an error while loading.Please reload this page.
Thanks@sissbruecker for the PR, and@serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14. |
Sorry@sissbruecker and@serhiy-storchaka, I had trouble checking out the |
…er entities in attribute values (pythonGH-95215)According to the HTML5 spec, named character references in attribute valuesshould only be processed if they are not followed by an ASCII alphanumeric,or an equals sign.(cherry picked from commit77b14a6)Co-authored-by: Sascha Ißbrücker <sascha.issbruecker@googlemail.com>https: //html.spec.whatwg.org/multipage/parsing.html#named-character-reference-state
GH-133586 is a backport of this pull request to the3.13 branch. |
Thanks@sissbruecker for the PR, and@serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.14. |
…er entities in attribute values (pythonGH-95215)According to the HTML5 spec, named character references in attribute valuesshould only be processed if they are not followed by an ASCII alphanumeric,or an equals sign.(cherry picked from commit77b14a6)Co-authored-by: Sascha Ißbrücker <sascha.issbruecker@googlemail.com>https: //html.spec.whatwg.org/multipage/parsing.html#named-character-reference-state
GH-133704 is a backport of this pull request to the3.14 branch. |
…ter entities in attribute values (GH-95215) (GH-133704)According to the HTML5 spec, named character references in attribute valuesshould only be processed if they are not followed by an ASCII alphanumeric,or an equals sign.(cherry picked from commit77b14a6)https: //html.spec.whatwg.org/multipage/parsing.html#named-character-reference-stateCo-authored-by: Sascha Ißbrücker <sascha.issbruecker@googlemail.com>
…ter entities in attribute values (GH-95215) (GH-133586)According to the HTML5 spec, named character references in attribute valuesshould only be processed if they are not followed by an ASCII alphanumeric,or an equals sign.(cherry picked from commit77b14a6)https: //html.spec.whatwg.org/multipage/parsing.html#named-character-reference-stateCo-authored-by: Sascha Ißbrücker <sascha.issbruecker@googlemail.com>
Uh oh!
There was an error while loading.Please reload this page.
Fixes
HTMLParserto only unescape named character references in attribute values if they are properly terminated.According to theHTML5 spec, named character references in attribute values should only be processed if they are not followed by an ASCII alphanumeric, or an equals sign. So the following references should be unescaped:
¢¢ foo¢-fooWhile the following should not:
¢er¢=This change adds an attribute value specific character unescaping logic that should cover these cases.
Fixes:#69426