kotlinx.html icon indicating copy to clipboard operation
kotlinx.html copied to clipboard

Published 20 hours ago verified publisher icon Kotlin

unable to insert raw content containing &

Open abendt opened this issue 6 years ago • 5 comments

It's not possible to insert raw content that contains & when using the DOM Builder:

Using v0.6.11 and Kotlin v1.2.51

val html = createHTMLDocument().html {
            body {
                unsafe {
                    raw("""
                        |<script>
                        |var a = 3;
                        |var b = -2;
                        |console.log(a > 0 && b > 0);
                        |</script>
                        |""".trimMargin())
                }
            }
        }.serialize(true)

    org.xml.sax.SAXParseException; lineNumber: 4; columnNumber: 20; Auf "&" in der Entityreferenz muss umgehend der Entityname folgen.
        at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:257)
        at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:339)
        at kotlinx.html.dom.HTMLDOMBuilder$UnsafeImpl$1.unaryPlus(dom-jvm.kt:98)
        at kotlinx.html.Unsafe$DefaultImpls.raw(api.kt:61)
        at kotlinx.html.dom.HTMLDOMBuilder$UnsafeImpl$1.raw(dom-jvm.kt:95)
        at HtmlScriptTest$documentBuilderWithScriptWithEntity$html$1$1$1.invoke(HtmlScriptTest.kt:61)
      ...

abendt avatar Jul 05 '18 18:07 abendt

also there seems to be a regression regarding https://github.com/Kotlin/kotlinx.html/issues/83

it worked with v0.6.10 but not with 0.6.11 anymore

check https://github.com/abendt/kotlin-html-jscript/blob/master/src/test/kotlin/HtmlScriptTest.kt for a demo project

abendt avatar Jul 05 '18 19:07 abendt

Why it should work? Raw content simply appends unsafe text so all characters need to be escaped properly.

cy6erGn0m avatar Jul 12 '18 14:07 cy6erGn0m

I'd expect it to work because it's OK for the resulting HTML to contain a '&'. On the other hand I understand why it's not working because of the underlying DOMBuilder. To add more confusion it works when you use a StringBuilder.

abendt avatar Jul 12 '18 15:07 abendt

The idea of this block is that you can write anything what you want at your own risk. Typical usecase is to append prerendered HTML block that a user believes is correct and well escaped.

cy6erGn0m avatar Jul 23 '18 11:07 cy6erGn0m

@cy6erGn0m from point of view of the browser its ok to have unescaped '&' within e.g. a script tag. here the Dom builder based implementation has issues parsing the content. I get that it probably makes sense to leave it as it is.

However I'd suggest mentioning that in the documentation as you already do it regarding raw content and XSS (https://github.com/Kotlin/kotlinx.html/wiki/Style-and-script-tags)

abendt avatar Jul 28 '18 14:07 abendt