search

SeasideSt / Seaside

The framework for developing sophisticated web applications in Smalltalk.
MIT License
519 stars 71 forks source link

Nested script tags are not properly escaped #1379

Closed jbrichau closed 4 months ago

jbrichau commented 1 year ago

Adding the following snippet to a Seaside render method breaks the generated html because the closing script tag in the jQuery append expression is not properly escaped.

html anchor script:
    ((html jQuery this closest: 'div') append: [ :r |
         r div script: (html jQuery this
                  on: 'click'
                  selector: '.class'
                  do: (JSStream on: 'alert(''nested script''')) ])
Screenshot 2023-09-27 at 17 35 08

In Seaside 3.0, the method https://github.com/SeasideSt/Seaside/blob/61f25aa0e8b820cf1e3d554ef8bcceb12e307233/Javascript-Core.package/JSStream.class/class/encodeString.on..st used to contain code that escapes closing of nested tags:

"avoid that browsers mistakenly take the output as a closing tag"
(last = $< and: [ char = $/ ])
    ifTrue: [ aStream nextPutAll: '\/' ]  
    ifFalse: [ aStream nextPut: char ] ]

https://github.com/seasidest/seaside/issues/726, the commit comment that removed this from Seaside 3.0 code mentions:

do we really have to encode </ as <\/?

  • if it's inside a Githubissues.
  • Githubissues is a development platform for aggregating issues.