|
| Description: |
The output of $jsontool and $escapetool.javascript is frequently used in HTML macros. To prevent that their output could interfere with the closing of the surrounding HTML macro, both should escape \ {. This also prevents accidental escaping of such output with HTML escaping that would alter the meaning of the content.
*Steps to reproduce:*
Put one of the following two wiki syntaxes in a document:
{noformat}
{{velocity}}
{{html clean="false"}}
$jsontool.serialize('{{html}}')
{{/html}}
{{/velocity}}
{noformat}
{noformat}
{{velocity}}
{{html clean="false"}}
$escapetool.javascript('{{html}}')
{{/html}}
{{/velocity}}
{noformat}
*Expected result:*
The text
{noformat}
{{html}}{noformat}
or {noformat}\u007B\u007Bhtml}}{noformat} (using JavaScript/JSON escaping for \{) is displayed (in quotes for the json tool).
*Actual result:*
For the first version
{noformat}
"{{html}}" {{/html}} {noformat}
is displayed, the second version produces
{noformat}
{{html}} {{/html}}{noformat}
This shows that due to the extra opening HTML macro syntax, the parser considers the closing HTML macro syntax as content, leading to the unwanted output. This is in particular a problem when the printed text contains user-controlled strings. Both tools already escape "/" so their output cannot close the HTML macro. |
|
