Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 25485
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: MARKSTOS [...] cpan.org
Requestors: JSTENZEL [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)



Subject: autoEscape() bypassed for Javascript handlers, except in button()
Download (untitled) / with headers
text/plain 6.2k
I am using CGI 3.10 with perl 5.8.6 under Solaris 8. No hint was found in the change log these bugs are fixed in newer versions, so I am going to report them. Documentation: autoEscape(0) does *not* disable auto escaping. Using a method with an undefined value does: $cgi->autoEscape(undef). From the documentation, one would expect deactivated auto escaping would mean there is no auto escaping at all, but this is wrong for *Javascript* handlers which are auto escaped regardless of the auto escape setup. This is very confusing because it is not documented. Unfortunately, extra confusion is added by the fact that this bypassing of the flag does *not* happen for the button() method. Here is a script that demonstrates the behaviour: # textfield, password_field, textarea, popup_menu, scrolling_list, checkbox_group, checkbox, radio_group, submit, image_button # pragmas use strict; use warnings; # modules use CGI; # build object and deactivate auto escaping my $cgi=new CGI; $cgi->autoEscape(undef); # demonstrate the handling of Javascript code # for the various controls print $cgi->header, $cgi->start_form, $cgi->textfield( { default => 'text field', onclick => 'alert("===> text field")', }, ), $cgi->password_field( { default => 'password field', onclick => 'alert("===> password field")', }, ), $cgi->textarea( { name => 'foo', default => 'text area', rows => 10, columns => 50, onclick => 'alert("===> text area")', }, ), $cgi->popup_menu( { name => 'menu_name', values => ['eenie','meenie','minie'], default => 'meenie', onclick => 'alert("===> popup menu")', } ), $cgi->popup_menu( -name=>'menu_name', onclick => 'alert("===> menu group")', -values=>[ qw/eenie meenie minie/, $cgi->optgroup( - name=>'optgroup_name', onclick => 'alert("===> menu group option")', -values => ['moe','catch'], - attributes=>{'catch'=>{'class'=>'red'}} ) ], -labels=>{ 'eenie'=>'one', 'meenie'=>'two', 'minie'=>'three' }, -default=>'meenie' ), $cgi->scrolling_list( -name=>'list_name', onclick => 'alert("===> scrolling list")', - values=>['eenie','meenie','minie','moe'], -default=>['eenie','moe'], -size=>5, -multiple=>'true', ), $cgi->checkbox_group( -name=>'group_name', onclick => 'alert("===> checkbox group")', - values=>['eenie','meenie','minie','moe'], -default=>['eenie','moe'], -linebreak=>'true', ), $cgi->checkbox( -name=>'checkbox_name', onclick => 'alert("===> single checkbox")', onchange => 'alert("===> single checkbox changed")', -checked=>1, -value=>'ON', -label=>'CLICK ME' ), $cgi->radio_group( { name=>'group_name', onclick => 'alert("===> radio group")', values=>['eenie','meenie','minie','moe'], rows=>2, columns=>2, } ), $cgi->submit( -name=>'button_name', onclick => 'alert("===> submit button")', -value=>'value' ), $cgi->image_button( -name=>'button_name', onclick => 'alert("===> image button")', -src=>'/source/URL', -align=>'MIDDLE' ), $cgi->button( { onclick => 'alert("===> Button")', title => 'Button', }, ), $cgi->end_form, ; Finally, if it is possible I suggest to accelerate the escape function. Switching off auto escaping became a need when it turned out in profiling that autoEscape() calls took significant time in building a form with dozens of controls. The script is faster with extra calls of HTML::Entities::encode_entities() (for the data), but it would be great and convenient if the same performance was possible without extra code. Thank you for a great module, and for the fixes in advance!
Download (untitled) / with headers
text/plain 6.9k
This bug was actually fixed in RT #40748 with the overhaul of the autoEscape method and so is fixed in CGI.pm versions 3.46 and above. I have a test at http://github.com/bubaflub/CGI.pm/tree/RT25485 that confirms this is the correct behavior. On Fri Mar 16 06:14:28 2007, JSTENZEL wrote: Show quoted text
> > I am using CGI 3.10 with perl 5.8.6 under Solaris 8. No hint was found > in the change log these bugs are fixed in newer versions, so I am going > to report them. > > Documentation: autoEscape(0) does *not* disable auto escaping. Using a > method with an undefined value does: $cgi->autoEscape(undef). > > From the documentation, one would expect deactivated auto escaping would > mean there is no auto escaping at all, but this is wrong for > *Javascript* handlers which are auto escaped regardless of the auto > escape setup. This is very confusing because it is not documented. > > Unfortunately, extra confusion is added by the fact that this bypassing > of the flag does *not* happen for the button() method. Here is a script > that demonstrates the behaviour: > > # textfield, password_field, textarea, popup_menu, scrolling_list, > checkbox_group, checkbox, radio_group, submit, image_button > > # pragmas > use strict; > use warnings; > > # modules > use CGI; > > # build object and deactivate auto escaping > my $cgi=new CGI; > $cgi->autoEscape(undef); > > # demonstrate the handling of Javascript code > # for the various controls > print $cgi->header, > > $cgi->start_form, > > $cgi->textfield( > { > default => 'text field', > onclick => 'alert("===> text field")', > }, > ), > > $cgi->password_field( > { > default => 'password field', > onclick => 'alert("===> password > field")', > }, > ), > > $cgi->textarea( > { > name => 'foo', > default => 'text area', > rows => 10, > columns => 50, > onclick => 'alert("===> text area")', > }, > ), > > $cgi->popup_menu( > { > name => 'menu_name', > values => ['eenie','meenie','minie'], > default => 'meenie', > onclick => 'alert("===> popup menu")', > } > ), > > $cgi->popup_menu( > -name=>'menu_name', > onclick => 'alert("===> menu group")', > -values=>[ > qw/eenie meenie minie/, > $cgi->optgroup( > - > name=>'optgroup_name', > onclick => > 'alert("===> menu group option")', > -values => > ['moe','catch'], > - > attributes=>{'catch'=>{'class'=>'red'}} > ) > ], > -labels=>{ > 'eenie'=>'one', > 'meenie'=>'two', > 'minie'=>'three' > }, > -default=>'meenie' > ), > > $cgi->scrolling_list( > -name=>'list_name', > onclick => 'alert("===> scrolling > list")', > - > values=>['eenie','meenie','minie','moe'], > -default=>['eenie','moe'], > -size=>5, > -multiple=>'true', > ), > > $cgi->checkbox_group( > -name=>'group_name', > onclick => 'alert("===> checkbox group")', > - > values=>['eenie','meenie','minie','moe'], > -default=>['eenie','moe'], > -linebreak=>'true', > ), > > $cgi->checkbox( > -name=>'checkbox_name', > onclick => 'alert("===> single checkbox")', > onchange => 'alert("===> single checkbox > changed")', > -checked=>1, > -value=>'ON', > -label=>'CLICK ME' > ), > > $cgi->radio_group( > { > name=>'group_name', > onclick => 'alert("===> radio group")', > values=>['eenie','meenie','minie','moe'], > rows=>2, > columns=>2, > } > ), > > $cgi->submit( > -name=>'button_name', > onclick => 'alert("===> submit button")', > -value=>'value' > ), > > $cgi->image_button( > -name=>'button_name', > onclick => 'alert("===> image button")', > -src=>'/source/URL', > -align=>'MIDDLE' > ), > > $cgi->button( > { > onclick => 'alert("===> Button")', > title => 'Button', > }, > ), > > $cgi->end_form, > > ; > > Finally, if it is possible I suggest to accelerate the escape function. > Switching off auto escaping became a need when it turned out in > profiling that autoEscape() calls took significant time in building a > form with dozens of controls. The script is faster with extra calls of > HTML::Entities::encode_entities() (for the data), but it would be great > and convenient if the same performance was possible without extra code. > > Thank you for a great module, and for the fixes in advance! > > >
Thanks for the report and tests. I've pulled tests into my github repo now.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.