-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Script tag contents are HTML escaped #460
Comments
All entities are now decoded while parsing. That's generally an improvement (especially as this fixed several issues with entities in attribute values), but requires encoding characters once the document is rendered. There are several characters that don't really have to be escaped, The fix in #461 is too narrow. In the end, we should maintain a list of elements that contain plain text, raw text or script data (ie. |
For #461 this was a bit of a rushed fix as the merge with canonical master I think in the long run reducing the number of escaped characters will have That being said, I don't think the list there is accurate, from my reading On Tue, Apr 22, 2014 at 9:04 AM, Felix Böhm [email protected]:
|
@kpdecker Have a look at the serialization part of the spec:
cheerio should just assume that the "scripting flag" is set, even though scripts aren't executed. |
@kpdecker Do you want to give it a try? The (IMHO, the easiest solution would be to inline |
Sure I could take a look. Like I said the original patch was a knee jerk fix to get around our immediate production issues :( Will try to make some time to look at the whole thing. |
Just stumbled on the bug when upgrading cheerio. I also had to pin it to 0.15, as this is a breaking change for us too - we use cheerio to read and transform html, and if the transformed HTML includes a script tag, that script tag will not parse in browsers. (well, I tried Chrome, but I'm assuming all the others...) |
We also had to pin to Cheerio 0.15, because the output from .html() now has invalid escaped inline stylesheets etc. |
Similar problem with tag attributes, it mangles following And I can't see the use case for escaping attribute values, since they weren't decoded on the first place. |
I've had to pin to Cheerio 0.15 as well, for the reasons noted above (script tags having their content mangled). |
Will be fixed by #458. |
I've found the solution for this problem and other ones, just need to fix the tests. |
Submitted PR #499 |
What we are doing might be an edge case, but we use cheerio to parse and build Swig template for rendering on server. And v0.16 starts to escape this line:
into
which cause Swig to choke. I am wondering if this is a supported use-case in future? Or can we turn off such escaping with a setting (apologize if i overlook something trivial) |
The next release will allow you to pass decodeEntities: false, resulting Felix |
As of the latest master the contents of script tags are HTML escaped.
The text was updated successfully, but these errors were encountered: