WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
18421
XMLHttpRequest does not properly encode & and < in outgoing messages
https://bugs.webkit.org/show_bug.cgi?id=18421
Summary
XMLHttpRequest does not properly encode & and < in outgoing messages
Keith Kowalczykowski
Reported
2008-04-10 22:02:58 PDT
This bug is evident on both mac and windows version of Safari 3.1. I have not tested previous versions, as I do not have access to them. The following is the contents of an email I sent to the dev list regarding the issue: I'm having a little problem with Safari (3.1) and the escaping of XML when using XmlHttpRequest. The behavior that I'm seeing is that Safari/Webkit is not properly escaping & and < when sending an XML document to the server. For example, if I have the following XML document: <foo foo="a&b">a&b</foo> On Firefox/IE, the value sent to the server is: <foo foo"a&b">a&b</foo> However, on Safari, the value is: <foo foo="a&b">a&b</foo> I have included some proof-of-concept code at the end of this email. Please let me know if there is something obvious that I'm doing wrong, or if this is really a bug in Safari/Webkit. Thanks. -Keith Sample Code: This code simply creates an XML document that is the same as the example I gave above. It then creates an XHR object and sends it to the server. The server simply sends the received value back to the client, which is then displayed using an alert dialog. Under IE and FF, this code works fine. Under Safari, however, it does not. test.html <html> <head> </head> <body> </body> <script type="text/javascript"> // Create a new document var dom = document.implementation.createDocument("","", null); // Create the root node var root = dom.appendChild(dom.createElement("foo")); // Add an attribute root.setAttribute("foo", "a&b"); // Add a text node var txt = dom.createTextNode("a&b"); // Append it root.appendChild(txt); // Create the XHR object var xhr = new XMLHttpRequest(); xhr.open("POST", "test.php", true); xhr.onreadystatechange = function() { if (xhr.readyState == 4 && xhr.status == 200) { alert(xhr.responseText); } }; xhr.send(dom); </script> </html> test.php <?php print @file_get_contents('php://input'); ?>
Attachments
proposed fix
(14.96 KB, patch)
2008-05-19 10:26 PDT
,
Alexey Proskuryakov
darin
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1
2008-04-10 22:27:29 PDT
Confirmed with 3.1 and TOT WebKit.
Mark Rowe (bdash)
Comment 2
2008-04-10 22:28:08 PDT
<
rdar://problem/5857369
>
Mark Rowe (bdash)
Comment 3
2008-04-10 22:31:23 PDT
I uploaded the test case to <
http://bdash.net.nz/files/bug-18421.html
> for easy access.
Keith Kowalczykowski
Comment 4
2008-04-10 22:46:04 PDT
Here is some additional discussion that occurred on the dev list, for future reference: Erik Seidel: The FF/IE behavior looks to be in disagreement with the spec:
http://www.w3.org/TR/XMLHttpRequest/#send
So it seems like both the spec and our code should be changed. Please file a bug:
http://webkit.org/quality/reporting.html
Bugs reported on the mailing list are unlikely to be fixed unless also added to the bugs database. -eric Me: Hi Eric, Thanks for the quick response. Based upon the way I interpret the spec, it seems as though FF and IE are in agreement. Specifically, the spec states that send() should "Serialize data into a namespace well-formed XML document and encoded using the encoding given by data.xmlEncoding, if specified, or UTF-8 otherwise." Looking at the XML spec (
http://www.w3.org/TR/2006/REC-xml-20060816/#sec-well-formed
), a well formed document should exclude < and & from attribute and entity values. Therefore, it seems as though FF/IE are doing the correct thing in escaping these characters, where-as Safari is not. Maybe I'm interpreting something wrong, though? I have filed a
bug #18421
about the issue. What is the general processes for looking at/prioritizing bugs within WebKit? Thanks, Keith Eric Seidel: My apologies. I misread your message. You are correct. Our behavior seems wrong to me too. Please file a bug. -eric
Alexey Proskuryakov
Comment 5
2008-05-18 22:19:55 PDT
See also:
bug 19122
.
Alexey Proskuryakov
Comment 6
2008-05-19 10:17:26 PDT
***
Bug 19122
has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Comment 7
2008-05-19 10:26:08 PDT
Created
attachment 21228
[details]
proposed fix
Darin Adler
Comment 8
2008-05-19 10:35:29 PDT
Comment on
attachment 21228
[details]
proposed fix r=me
Alexey Proskuryakov
Comment 9
2008-05-19 12:14:10 PDT
Committed revision 33577.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug