Bug #39894 for HTML-FormFu: HTML Escaping incomplete

Wed Oct 08 12:55:08 2008 rod.taylor [...] gmail.com - Ticket created

Subject:

HTML Escaping incomplete

xml_escape() does not currently escape characters for option labels such as "m²". The following changes to Util.pm will escape all special characters using HTML::Entities rather than the home-brew escaping that existed prior to this. *** Util.pm.orig Wed Oct 8 12:48:59 2008 --- Util.pm Wed Oct 8 12:52:10 2008 *************** *** 8,13 **** --- 8,14 ---- use Readonly; use Exporter qw/ import /; use Carp qw/ croak /; + use HTML::Entities; Readonly my $EMPTY_STR => q{}; Readonly my $SPACE => q{ }; *************** *** 332,343 **** return $val if !length $val; ! $val =~ s/&/&/g; ! $val =~ s/"/"/g; ! $val =~ s/'/'/g; ! $val =~ s/</</g; ! $val =~ s/>/>/g; ! $val =~ s/²/²/g; return $val; } --- 333,339 ---- return $val if !length $val; ! $val = encode_entities($val); return $val; }

Wed Oct 08 17:41:29 2008 andreas.marienborg [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #39894] HTML Escaping incomplete
Date:	Wed, 08 Oct 2008 23:40:53 +0200
To:	bug-HTML-FormFu [...] rt.cpan.org
From:	Andreas Marienborg <omega [...] palle.net>

I think you are confusing xml and html entities? what is the problem you are attempting to fix? - andreas On Oct 8, 2008, at 6:55 PM, Rod Taylor via RT wrote: Show quoted text

> Wed Oct 08 12:55:08 2008: Request 39894 was acted upon. > Transaction: Ticket created by rtaylor > Queue: HTML-FormFu > Subject: HTML Escaping incomplete > Broken in: 0.03005 > Severity: (no value) > Owner: Nobody > Requestors: rod.taylor@gmail.com > Status: new > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=39894 > > > > xml_escape() does not currently escape characters for option labels > such > as "m²". > > The following changes to Util.pm will escape all special characters > using HTML::Entities rather than the home-brew escaping that existed > prior to this. > > > > *** Util.pm.orig Wed Oct 8 12:48:59 2008 > --- Util.pm Wed Oct 8 12:52:10 2008 > *************** > *** 8,13 **** > --- 8,14 ---- > use Readonly; > use Exporter qw/ import /; > use Carp qw/ croak /; > + use HTML::Entities; > > Readonly my $EMPTY_STR => q{}; > Readonly my $SPACE => q{ }; > *************** > *** 332,343 **** > > return $val if !length $val; > > ! $val =~ s/&/&/g; > ! $val =~ s/"/"/g; > ! $val =~ s/'/'/g; > ! $val =~ s/</</g; > ! $val =~ s/>/>/g; > ! $val =~ s/²/²/g; > > return $val; > } > --- 333,339 ---- > > return $val if !length $val; > > ! $val = encode_entities($val); > > return $val; > }

Wed Oct 08 17:41:32 2008 The RT System itself - Status changed from 'new' to 'open'

Wed Oct 08 17:50:10 2008 rod.taylor [...] gmail.com - Correspondence added

From:

rod.taylor [...] gmail.com

The special characters in my Select options are not escaped unless this modification is put into place. Specifically, the superscript 2 symbol. - type: Select name: foo options: - ['Feet Squared', 'f²'] - ['Meters Squared', 'm²'] On Wed Oct 08 17:41:29 2008, ANDREMAR wrote: Show quoted text

> I think you are confusing xml and html entities? what is the problem > you are attempting to fix? > > - andreas > > On Oct 8, 2008, at 6:55 PM, Rod Taylor via RT wrote: >

> > Wed Oct 08 12:55:08 2008: Request 39894 was acted upon. > > Transaction: Ticket created by rtaylor > > Queue: HTML-FormFu > > Subject: HTML Escaping incomplete > > Broken in: 0.03005 > > Severity: (no value) > > Owner: Nobody > > Requestors: rod.taylor@gmail.com > > Status: new > > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=39894 > > > > > > > xml_escape() does not currently escape characters for option labels > > such > > as "m²". > > > > The following changes to Util.pm will escape all special characters > > using HTML::Entities rather than the home-brew escaping that existed > > prior to this. > > > > > > > > *** Util.pm.orig Wed Oct 8 12:48:59 2008 > > --- Util.pm Wed Oct 8 12:52:10 2008 > > *************** > > *** 8,13 **** > > --- 8,14 ---- > > use Readonly; > > use Exporter qw/ import /; > > use Carp qw/ croak /; > > + use HTML::Entities; > > > > Readonly my $EMPTY_STR => q{}; > > Readonly my $SPACE => q{ }; > > *************** > > *** 332,343 **** > > > > return $val if !length $val; > > > > ! $val =~ s/&/&/g; > > ! $val =~ s/"/"/g; > > ! $val =~ s/'/'/g; > > ! $val =~ s/</</g; > > ! $val =~ s/>/>/g; > > ! $val =~ s/²/²/g; > > > > return $val; > > } > > --- 333,339 ---- > > > > return $val if !length $val; > > > > ! $val = encode_entities($val); > > > > return $val; > > }

>

Thu Oct 16 16:32:08 2008 cpan [...] fireartist.com - Correspondence added

The superscript symbol isn't plain ascii, so you must be using a specific encoding, such as utf8. As long as you've got your app set up to handle that encoding, it should round-trip to the browser and back with no problems. xml_escape() only escapes those characters strictly necessary for xml - not xhtml. See HTML::FormFu::Manual::Cookbook for details on using unicode.

Thu Oct 16 16:32:10 2008 cpan [...] fireartist.com - Status changed from 'open' to 'stalled'

Fri Oct 31 14:41:34 2008 cpan [...] fireartist.com - Status changed from 'stalled' to 'resolved'