Bug 18421 - XMLHttpRequest does not properly encode & and < in outgoing messages
Summary: XMLHttpRequest does not properly encode & and < in outgoing messages
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: XML (show other bugs)
Version: 525.x (Safari 3.1)
Hardware: All All
: P2 Normal
Assignee: Alexey Proskuryakov
URL: http://bdash.net.nz/files/bug-18421.html
Keywords: InRadar
: 19122 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-04-10 22:02 PDT by Keith Kowalczykowski
Modified: 2008-05-19 12:14 PDT (History)
1 user (show)

See Also:


Attachments
proposed fix (14.96 KB, patch)
2008-05-19 10:26 PDT, Alexey Proskuryakov
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Keith Kowalczykowski 2008-04-10 22:02:58 PDT
This bug is evident on both mac and windows version of Safari 3.1. I have not tested previous versions, as I do not have access to them. The following is the contents of an email I sent to the dev list regarding the issue:

I'm having a little problem with Safari (3.1) and the escaping of XML
when using XmlHttpRequest. The behavior that I'm seeing is that
Safari/Webkit is not properly escaping & and < when sending an XML document
to the server. For example, if I have the following XML document:

<foo foo="a&b">a&b</foo>

On Firefox/IE, the value sent to the server is:

<foo foo"a&amp;b">a&amp;b</foo>

However, on Safari, the value is:

<foo foo="a&b">a&b</foo>

I have included some proof-of-concept code at the end of this email. Please
let me know if there is something obvious that I'm doing wrong, or if this
is really a bug in Safari/Webkit. Thanks.

    -Keith

Sample Code:

This code simply creates an XML document that is the same as the example I
gave above. It then creates an XHR object and sends it to the server. The
server simply sends the received value back to the client, which is then
displayed using an alert dialog. Under IE and FF, this code works fine.
Under Safari, however, it does not.

test.html

<html>
    <head>
    </head>

    <body>
    </body>
    <script type="text/javascript">
        // Create a new document
        var dom = document.implementation.createDocument("","", null);
        
        // Create the root node
        var root = dom.appendChild(dom.createElement("foo"));
        
        // Add an attribute
        root.setAttribute("foo", "a&b");

        // Add a text node
        var txt = dom.createTextNode("a&b");

        // Append it
        root.appendChild(txt);
            
        // Create the XHR object
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "test.php", true);
        xhr.onreadystatechange = function()
        {
            if (xhr.readyState == 4 && xhr.status == 200)
            {
                alert(xhr.responseText);
            }
        };
        xhr.send(dom);


            
    </script>

</html>

test.php

<?php
    print @file_get_contents('php://input');
?>
Comment 1 Mark Rowe (bdash) 2008-04-10 22:27:29 PDT
Confirmed with 3.1 and TOT WebKit.
Comment 2 Mark Rowe (bdash) 2008-04-10 22:28:08 PDT
<rdar://problem/5857369>
Comment 3 Mark Rowe (bdash) 2008-04-10 22:31:23 PDT
I uploaded the test case to <http://bdash.net.nz/files/bug-18421.html> for easy access.
Comment 4 Keith Kowalczykowski 2008-04-10 22:46:04 PDT
Here is some additional discussion that occurred on the dev list, for future reference:

Erik Seidel:

The FF/IE behavior looks to be in disagreement with the spec:

http://www.w3.org/TR/XMLHttpRequest/#send

So it seems like both the spec and our code should be changed.

Please file a bug:
http://webkit.org/quality/reporting.html

Bugs reported on the mailing list are unlikely to be fixed unless also
added to the bugs database.

-eric




Me:

Hi Eric,

    Thanks for the quick response. Based upon the way I interpret the spec, it seems as though FF and IE are in agreement. Specifically, the spec states that send() should "Serialize data into a namespace well-formed XML document and encoded using the encoding given by data.xmlEncoding, if specified, or UTF-8 otherwise." Looking at the XML spec ( http://www.w3.org/TR/2006/REC-xml-20060816/#sec-well-formed), a well formed document should exclude < and & from attribute and entity values. Therefore, it seems as though FF/IE are doing the correct thing in escaping these characters, where-as Safari is not. Maybe I'm interpreting something wrong, though?

    I have filed a bug #18421 about the issue. What is the general processes for looking at/prioritizing bugs within WebKit?

    Thanks,
        Keith




Eric Seidel:

My apologies.

I misread your message.  You are correct.  Our behavior seems wrong to
me too.  Please file a bug.

-eric
Comment 5 Alexey Proskuryakov 2008-05-18 22:19:55 PDT
See also: bug 19122.
Comment 6 Alexey Proskuryakov 2008-05-19 10:17:26 PDT
*** Bug 19122 has been marked as a duplicate of this bug. ***
Comment 7 Alexey Proskuryakov 2008-05-19 10:26:08 PDT
Created attachment 21228 [details]
proposed fix
Comment 8 Darin Adler 2008-05-19 10:35:29 PDT
Comment on attachment 21228 [details]
proposed fix

r=me
Comment 9 Alexey Proskuryakov 2008-05-19 12:14:10 PDT
Committed revision 33577.