Hi all,
When the SSI tag below is handled, the value of the string output to
the browser is entity encoded:
<!--#echo encoding="entity" var="MY_VAR"-->
This is done with a line that looks something like this:
/* PR#25202: escape anything non-ascii here */
echo_text = ap_escape_html2(ctx->dpool, val, 1);
The problem with the above is the parameter "1", which means that non-
ASCII characters are entity encoded as html escape sequences, and in
the process anything encoded with UTF-8 (and is not ASCII) breaks.
What I propose we do is change the value for v2.3+ as follows:
echo_text = ap_escape_html2(ctx->dpool, val, 0);
This allows UTF-8 character sequences to be passed through unchanged.
Past discussion in PR#25202 seems to revolve around backwards
compatibility, though with v2.4+ we have the power to change this
behaviour.
Does any cross site scripting risk result as the allowance of UTF-8
character sequences? I understand not, but would like to confirm.
Regards,
Graham
--
