dive into mark

‣ March 4, 2002 ‣

Radio escaping bugs

As several people have angrily pointed out to me, the original version of my previous post (which, ironically enough, was about an HTML escaping bug in Manila) triggered an HTML unescaping bug in Radio Userland. If you are a Radio user who can no longer get to your news aggregator page because it redirects to another page, do this:

Delete your diveintomark subscription from your subscriptions page.
Resubscribe to diveintomark (optional).
Don’t blame me. This is Radio Userland’s bug, and I never intended to trigger it. I’m as much a victim here as you are.

(Alternate solution: turn off Javascript in your browser, then revisit your news aggregator page and delete the “Full disclosure” post.)

Here’s the problem: my original post contained a (properly escaped) SCRIPT tag. If you read the post on diveintomark.org through a normal web browser, you would have seen the words SCRIPT LANGUAGE=”Javascript” in brackets; you would not have executed this tag, since it was properly HTML-escaped.

The RSS version of the post contained these characters (separated here by dashes to avoid triggering the same Radio bug twice in one day):

&-l-t-;-p-&-g-t-;-&-a-m-p-;-l-t-;-s-c-r-i-p-t - l-a-n-g-u-a-g-e-=-&-q-u-o-t-;-J-a-v-a-s-c-r-i-p-t-&-q-u-o-t-;-&-g-t-;

This is acceptable and correct according to the RSS 0.92 spec: “Further, 0.92 allows entity-encoded HTML in the description of an item, to reflect actual practice by bloggers.” My HTML was properly entity-encoded (the same thing as “HTML-escaped”, the term I used earlier), but Radio incorrectly decoded this HTML into a bare SCRIPT tag, which your browser then interpreted as a SCRIPT tag, thus causing your page to redirect.

Most likely, Radio’s HTML entity decoding routine decodes the amp entity first, then the lt entity second. This is wrong; you must always decode the amp entity last. Otherwise you can end up (incorrectly) double-decoding properly encoded HTML, which is exactly what happened here.

So again, I apologize to my faithful readers, but please understand that this was not intentional and it was not my fault. I am as much as victim here as you are.

Respond privately

I am no longer accepting public comments on this post, but you can use this form to contact me privately. (Your message will not be published.)

firehose ‧ code ‧ music ‧ planet