| Posted on 2008-10-17 05:41:52-07 by djrbourg |
| Failing tests --ok? |
|
I'm getting an install error which seems to occur almost universally looking at the test reports on cpan:
t/03security.....
# Failed test 'HTML/XML entities'
# at t/03security.t line 35.
# got: '<p>unsafe</p>'
# expected: '<p>unsafe</p><script'
# Failed test 'HTML/XML entities with incomplete tag'
# at t/03security.t line 40.
# got: ''
# expected: '<p attr_ok="test>unsafe</p>'
# Looks like you failed 2 tests of 4.
t/03security.....dubious
The tests are:
# ----------------------------------------
is(despace $safe->filter_xml_fragment(qq(
<p>unsafe</p><script
)), '<p>unsafe</p><script', "HTML/XML entities");
# ----------------------------------------
is(despace $safe->filter_xml_fragment(qq(
<p attr_ok="test>unsafe</p>
)), '<p attr_ok="test>unsafe</p>', "HTML/XML entities with incomplete tag");
--
Anybody knows if this is benign or not? My impression is that those two tests don't make sense, judging from the doc on filter_xml_fragment():
"Like above, but operates on the data as though it were well-formed XML. Use this if you intend on providing XHTML, for example." The input isn't well-formed XML, so this sub is misused by the test. The sub builds a tree using HTML::TreeBuilder. Presumably, the behavior of this package has changed since HTML::Sanitizer was made and it doesn't treat ill-formed XML the way it used to. Now that doesn't really tell us whether HTML::Sanitizer is usable as it is. However, the actual output given is that the ill-formed bits are discarded (instead of being escaped). I wouldn't think this creates an opportunity for cross-scripting so long as the user input is processed in one big chunk.. but your views would be very much appreciated. david b |
| Direct Responses: Write a response |
