Parchment HTML encoding

59 views
Skip to first unread message

Andrew Plotkin

unread,
Apr 6, 2012, 1:50:29 AM4/6/12
to parc...@googlegroups.com
While messing around with pr-if.org, I realized that Shade had a problem
printing < and > characters. In the "about" text, I print the game's URL
as:

<http://www.eblong.com/zarf/if.html>

In Parchment, this line disappears, because it gets sent to the DOM via
the elem.html() method and turns into a tag.

(You can see this on the ifdb page:
http://ifdb.tads.org/viewgame?id=hsfc7fnl40k4a30q and type
"about".)

This is kind of serious, because it's trivial to upload a malicious zcode
file somewhere and insert Javascript into the user's browser.

I've fixed this in my Parchment branch:
https://github.com/erkyrath/parchment/tree/zarfsite
Testing Shade: http://pr-if.org/play/shade/

You probably can't import the patch directly, because I've danced all over
the Parchment display code to make it suit my needs, and it forked from
the official source several months ago. However, the code may be helpful
anyway. It's at line 54-69 of src/structio/api.js.

--Z

--
"And Aholibamah bare Jeush, and Jaalam, and Korah: these were the borogoves..."
*

Dannii

unread,
Apr 6, 2012, 3:24:39 AM4/6/12
to parc...@googlegroups.com
Ohh, that is serious. I'll fix it ASAP. Thanks!

--
You received this message because you're subscribed to the Parchment Google Group. http://groups.google.com/group/parchment

Dannii

unread,
Apr 6, 2012, 11:01:27 PM4/6/12
to Parchment
Fixed. I'm using white-space: pre-wrap now, so thanks for the hint
about that before.

On Apr 6, 5:24 pm, Dannii <curiousdan...@gmail.com> wrote:
> Ohh, that is serious. I'll fix it ASAP. Thanks!
>
> On 6 April 2012 15:50, Andrew Plotkin <zgoo...@eblong.com> wrote:
>
>
>
>
>
>
>
> > While messing around with pr-if.org, I realized that Shade had a problem
> > printing < and > characters. In the "about" text, I print the game's URL as:
>
> >   <http://www.eblong.com/zarf/**if.html<http://www.eblong.com/zarf/if.html>
>
> > In Parchment, this line disappears, because it gets sent to the DOM via
> > the elem.html() method and turns into a tag.
>
> > (You can see this on the ifdb page:
> >http://ifdb.tads.org/viewgame?**id=hsfc7fnl40k4a30q<http://ifdb.tads.org/viewgame?id=hsfc7fnl40k4a30q>and type
> > "about".)
>
> > This is kind of serious, because it's trivial to upload a malicious zcode
> > file somewhere and insert Javascript into the user's browser.
>
> > I've fixed this in my Parchment branch:
> >https://github.com/erkyrath/**parchment/tree/zarfsite<https://github.com/erkyrath/parchment/tree/zarfsite>
> > Testing Shade:http://pr-if.org/play/shade/
>
> > You probably can't import the patch directly, because I've danced all over
> > the Parchment display code to make it suit my needs, and it forked from the
> > official source several months ago. However, the code may be helpful
> > anyway. It's at line 54-69 of src/structio/api.js.
>
> > --Z
>
> > --
> > "And Aholibamah bare Jeush, and Jaalam, and Korah: these were the
> > borogoves..."
> > *
>
> > --
> > You received this message because you're subscribed to the Parchment
> > Google Group.http://groups.google.com/**group/parchment<http://groups.google.com/group/parchment>
Reply all
Reply to author
Forward
0 new messages