This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 5770 - Unescaped input (URI, selector) causes ill-formed SOAP output
Summary: Unescaped input (URI, selector) causes ill-formed SOAP output
Status: RESOLVED FIXED
Alias: None
Product: CSSValidator
Classification: Unclassified
Component: CSS 2.1 (show other bugs)
Version: CSS Validator
Hardware: All All
: P1 major
Target Milestone: ---
Assignee: This bug has no owner yet - up for the taking
QA Contact: qa-dev tracking
URL: http://jigsaw.w3.org/css-validator
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-06-18 18:08 UTC by Bug Me Not
Modified: 2012-09-21 14:34 UTC (History)
2 users (show)

See Also:


Attachments
SOAP output for this error. (1.72 KB, text/xml)
2008-06-18 18:08 UTC, Bug Me Not
Details
Output from using a ">" in a selector (2.34 KB, text/xml)
2008-06-18 18:35 UTC, Bug Me Not
Details
test case as standalone css file (106 bytes, text/css)
2009-01-21 20:58 UTC, Olivier Thereaux
Details

Description Bug Me Not 2008-06-18 18:08:18 UTC
Created attachment 558 [details]
SOAP output for this error.

When validating CSS what includes URLs with ampersands in them, the responses do not return valid XML (or XHTML).  This is because the ampersands are carried through to the output without being encoded.

Example Input (typed into the TextArea or set as text in POST):

.google
{
       background-image: url(http://www.google.com/logo.jpg?is=evil&but=we_love_them_anyway);
}

Location of Error in SOAP output:
/env:Envelope/env:Body/m:cssvalidationresponse/m:result/m:css/m:noAtRule/m:selector/m:RuleList/m:Rule/m:PropertyValue


If XML encoding is too much trouble, you might consider adding CDATA blocks around the contents of this field.
Comment 1 Bug Me Not 2008-06-18 18:34:21 UTC
This bug also happens with ">" characters in selectors, although my XML parser handles this so I am not sure if this is as severe as the above bug.

Input:
.google > .yahoo
{
   color: red;
}

Some of the problem Areas:
/env:Envelope/env:Body/m:cssvalidationresponse/m:result/m:warnings/m:warninglist/m:warning/m:context
/env:Envelope/env:Body/m:cssvalidationresponse/m:result/m:css/m:noAtRule/m:selector/m:selectorValue



Comment 2 Bug Me Not 2008-06-18 18:35:34 UTC
Created attachment 559 [details]
Output from using a ">" in a selector
Comment 3 Olivier Thereaux 2009-01-21 20:58:54 UTC
Created attachment 619 [details]
test case as standalone css file
Comment 4 Yves Lafon 2009-02-25 20:50:05 UTC
Fixed by adding new function to generate escaped versions. the XHTML and SOAP1.2 templates are now using those functions.
See http://qa-dev.w3.org:8001/css-validator/