This bug is evident on both mac and windows version of Safari 3.1. I have not tested previous versions, as I do not have access to them. The following is the contents of an email I sent to the dev list regarding the issue: I'm having a little problem with Safari (3.1) and the escaping of XML when using XmlHttpRequest. The behavior that I'm seeing is that Safari/Webkit is not properly escaping & and < when sending an XML document to the server. For example, if I have the following XML document: <foo foo="a&b">a&b</foo> On Firefox/IE, the value sent to the server is: <foo foo"a&b">a&b</foo> However, on Safari, the value is: <foo foo="a&b">a&b</foo> I have included some proof-of-concept code at the end of this email. Please let me know if there is something obvious that I'm doing wrong, or if this is really a bug in Safari/Webkit. Thanks. -Keith Sample Code: This code simply creates an XML document that is the same as the example I gave above. It then creates an XHR object and sends it to the server. The server simply sends the received value back to the client, which is then displayed using an alert dialog. Under IE and FF, this code works fine. Under Safari, however, it does not. test.html <html> <head> </head> <body> </body> <script type="text/javascript"> // Create a new document var dom = document.implementation.createDocument("","", null); // Create the root node var root = dom.appendChild(dom.createElement("foo")); // Add an attribute root.setAttribute("foo", "a&b"); // Add a text node var txt = dom.createTextNode("a&b"); // Append it root.appendChild(txt); // Create the XHR object var xhr = new XMLHttpRequest(); xhr.open("POST", "test.php", true); xhr.onreadystatechange = function() { if (xhr.readyState == 4 && xhr.status == 200) { alert(xhr.responseText); } }; xhr.send(dom); </script> </html> test.php <?php print @file_get_contents('php://input'); ?>
Confirmed with 3.1 and TOT WebKit.
<rdar://problem/5857369>
I uploaded the test case to <http://bdash.net.nz/files/bug-18421.html> for easy access.
Here is some additional discussion that occurred on the dev list, for future reference: Erik Seidel: The FF/IE behavior looks to be in disagreement with the spec: http://www.w3.org/TR/XMLHttpRequest/#send So it seems like both the spec and our code should be changed. Please file a bug: http://webkit.org/quality/reporting.html Bugs reported on the mailing list are unlikely to be fixed unless also added to the bugs database. -eric Me: Hi Eric, Thanks for the quick response. Based upon the way I interpret the spec, it seems as though FF and IE are in agreement. Specifically, the spec states that send() should "Serialize data into a namespace well-formed XML document and encoded using the encoding given by data.xmlEncoding, if specified, or UTF-8 otherwise." Looking at the XML spec ( http://www.w3.org/TR/2006/REC-xml-20060816/#sec-well-formed), a well formed document should exclude < and & from attribute and entity values. Therefore, it seems as though FF/IE are doing the correct thing in escaping these characters, where-as Safari is not. Maybe I'm interpreting something wrong, though? I have filed a bug #18421 about the issue. What is the general processes for looking at/prioritizing bugs within WebKit? Thanks, Keith Eric Seidel: My apologies. I misread your message. You are correct. Our behavior seems wrong to me too. Please file a bug. -eric
See also: bug 19122.
*** Bug 19122 has been marked as a duplicate of this bug. ***
Created attachment 21228 [details] proposed fix
Comment on attachment 21228 [details] proposed fix r=me
Committed revision 33577.