[webkit-dev] XHR XML Escaping

Eric Seidel eric at webkit.org
Thu Apr 10 22:28:18 PDT 2008


My apologies.

I misread your message.  You are correct.  Our behavior seems wrong to
me too.  Please file a bug.

-eric

On Thu, Apr 10, 2008 at 10:20 PM, Keith Kowalczykowski
<keith at app2you.com> wrote:
> Hi Eric,
>
>     Thanks for the quick response. Based upon the way I interpret the spec,
>  it seems as though FF and IE are in agreement. Specifically, the spec states
>  that send() should "Serialize data into a namespace well-formed XML document
>  and encoded using the encoding given by data.xmlEncoding, if specified, or
>  UTF-8 otherwise." Looking at the XML spec (
>  http://www.w3.org/TR/2006/REC-xml-20060816/#sec-well-formed), a well formed
>  document should exclude < and & from attribute and entity values. Therefore,
>  it seems as though FF/IE are doing the correct thing in escaping these
>  characters, where-as Safari is not. Maybe I'm interpreting something wrong,
>  though?
>
>     I have filed a bug #18421 about the issue. What is the general processes
>  for looking at/prioritizing bugs within WebKit?
>
>     Thanks,
>         Keith
>
>
>
>  > The FF/IE behavior looks to be in disagreement with the spec:
>  >
>  > http://www.w3.org/TR/XMLHttpRequest/#send
>  >
>  > So it seems like both the spec and our code should be changed.
>  >
>  > Please file a bug:
>  > http://webkit.org/quality/reporting.html
>  >
>  > Bugs reported on the mailing list are unlikely to be fixed unless also
>  > added to the bugs database.
>  >
>  > -eric
>  >
>  >
>  > On Thu, Apr 10, 2008 at 7:37 PM, Keith Kowalczykowski <keith at app2you.com>
>  > wrote:
>  >> Hi Everyone,
>  >>
>  >>     I'm having a little problem with Safari (3.1) and the escaping of XML
>  >>  when using XmlHttpRequest. The behavior that I'm seeing is that
>  >>  Safari/Webkit is not properly escaping & and < when sending an XML document
>  >>  to the server. For example, if I have the following XML document:
>  >>
>  >>  <foo foo="a&b">a&b</foo>
>  >>
>  >>  On Firefox/IE, the value sent to the server is:
>  >>
>  >>  <foo foo"a&amp;b">a&amp;b</foo>
>  >>
>  >>  However, on Safari, the value is:
>  >>
>  >>  <foo foo="a&b">a&b</foo>
>  >>
>  >>  I have included some proof-of-concept code at the end of this email. Please
>  >>  let me know if there is something obvious that I'm doing wrong, or if this
>  >>  is really a bug in Safari/Webkit. Thanks.
>  >>
>  >>     -Keith
>  >>
>  >>  Sample Code:
>  >>
>  >>  This code simply creates an XML document that is the same as the example I
>  >>  gave above. It then creates an XHR object and sends it to the server. The
>  >>  server simply sends the received value back to the client, which is then
>  >>  displayed using an alert dialog. Under IE and FF, this code works fine.
>  >>  Under Safari, however, it does not.
>  >>
>  >>  test.html
>  >>
>  >>  <html>
>  >>     <head>
>  >>     </head>
>  >>
>  >>     <body>
>  >>     </body>
>  >>     <script type="text/javascript">
>  >>         // Create a new document
>  >>         var dom = document.implementation.createDocument("","", null);
>  >>
>  >>         // Create the root node
>  >>         var root = dom.appendChild(dom.createElement("foo"));
>  >>
>  >>         // Add an attribute
>  >>         root.setAttribute("foo", "a&b");
>  >>
>  >>         // Add a text node
>  >>         var txt = dom.createTextNode("a&b");
>  >>
>  >>         // Append it
>  >>         root.appendChild(txt);
>  >>
>  >>         // Create the XHR object
>  >>         var xhr = new XMLHttpRequest();
>  >>         xhr.open("POST", "test.php", true);
>  >>         xhr.onreadystatechange = function()
>  >>         {
>  >>             if (xhr.readyState == 4 && xhr.status == 200)
>  >>             {
>  >>                 alert(xhr.responseText);
>  >>             }
>  >>         };
>  >>         xhr.send(dom);
>  >>
>  >>
>  >>
>  >>     </script>
>  >>
>  >>  </html>
>  >>
>  >>  test.php
>  >>
>  >>  <?php
>  >>     print @file_get_contents('php://input');
>  >>  ?>
>  >>
>  >>
>  >>  _______________________________________________
>  >>  webkit-dev mailing list
>  >>  webkit-dev at lists.webkit.org
>  >>  http://lists.webkit.org/mailman/listinfo/webkit-dev
>  >>
>
>
>  _______________________________________________
>  webkit-dev mailing list
>  webkit-dev at lists.webkit.org
>  http://lists.webkit.org/mailman/listinfo/webkit-dev
>


More information about the webkit-dev mailing list