DAV HTML/XML character escaping

Hello all,

Quick hit on the dev list before I file a bug against this
(couldn't find anything in the issue tracker).

It looks like mod_dav_svn isn't properly escaping characters
sent to the other end for display. Using the 0.20 release
(client and server):

  $ touch \"testing\"
  $ touch also\&testing
  $ svn import http://test/repos .

Import works ok, repository looks fine, checkouts work ok. However,
access via WebDAV with a browser produces broken HTML and XML (depending
on the view configured in apache for that repository).

In HTML mode, I see:

  <a href="%22testing%22">"testing"</a>
    OK
  <a href="also%26testing">also&testing</a>
    broken, should be
>also&amp;testing</a>
    

In XML mode, I see:

  <file url="%22testing%22" name=""testing""/>
    broken, should read
    name="&quot;testing&quot;"
  <file url="also%26testing" name="also&testing"/>
    broken, should read
    name="also&amp;testing"

Looking at r5480, the appropriate code is in
subversion/mod_dav_svn/repos.c, between lines 1950 and 1970. It looks
like the "name" variable needs to have entities escaped. I would
supply a patch, but I'm not at all familiar with the Apache or APR
apis, and I have no idea what function would achieve this (nor do
I have the time to hunt it down). ap_escape_uri is wrong, and it
doesn't look like ap_escape_html escapes the "&quot;" entities
(although I may be wrong on that, I've not tried it).

Should I open a bug for this, or is it already on someone's TODO list?

daniel

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Mar 27 02:46:35 2003