Skip to content
This repository has been archived by the owner on Feb 9, 2024. It is now read-only.

Ampersands being escaped in document.write calls #346

Open
d3x7r0 opened this issue Nov 4, 2016 · 4 comments
Open

Ampersands being escaped in document.write calls #346

d3x7r0 opened this issue Nov 4, 2016 · 4 comments
Labels
bug pull request welcome unit test needed

Comments

@d3x7r0
Copy link

d3x7r0 commented Nov 4, 2016

This relates with issue #98 and the fix done for it.

We just came across some calls being made that got broken when we upgraded from v1 to v2.

The code we found coming from the adserver is something like this:

function(u, t) { // u = "http://example.com?foo=bar&a=1"; t = false
    var a = document.createElement('script');
    a.src = u;
    a.async = t;
    t ? document.appendChild(a) : document.write(a.outerHTML);
}

This worked fine in v1 but now it's broken because the browser returns that outerHTML escaped.

If you run the code straight into a browser or through v1.4.0 it works normally and the ending url is correct (unescaped). If, however, you pass the code through postscribe v2 you end up with "http://example.com?foo=bar&a=1" as the url for the script tag which obviously causes some issues.
@dompuiu
Copy link

dompuiu commented Nov 23, 2016

I am interested to fix this bug, but I wanted to discuss first what would be the best option to fix it.

Looking at postscribe 1.4.0, it seems the src attribute was unescaped here: https://github.com/krux/postscribe/blob/1.4.0/htmlParser/htmlParser.js#L149

That part of code seems to live now in prescribe: https://github.com/krux/prescribe/blob/master/src/streamReaders.js#L62

One option would be to do the unescaping inside prescribe code like it was previously done in postcribe 1.4.0. Another option would be to do the unescaping inside postscribe _handleScriptToken method(https://github.com/krux/postscribe/blob/master/src/write-stream.js#L330). Thoughts?

@cobbdb
Copy link

cobbdb commented Jun 21, 2017

This is happening for quotes as well:

var script = document.createElement('script');
script.src = '...';
script.setAttribute('data-anvp', '{"some":"data"}');
postscribe('#target', script.outerHTML);

.. becomes ..

<script src=".." data-anvp="{&quot;some&quot;:&quot;data&quot;}"></script>

which errors when parsing that attribute value.

@cobbdb
Copy link

cobbdb commented Jun 21, 2017

Was able to work around this by filtering with the beforeWriteToken callback:

        postscribe('#p1', script.outerHTML, {
            beforeWriteToken: function (token) {
                var anvp = token.attrs['data-anvp'];
                if (anvp) {
                    anvp = anvp.replace(/(&quot\;)/g, '"');
                    token.attrs['data-anvp'] = anvp;
                }
                return token;
            }
        });

.. which writes without the html entity and JSON.parse()'s without errors.

@matzeeable
Copy link

I think this relates also to #506.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug pull request welcome unit test needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sethyates @d3x7r0 @dompuiu @matzeeable @cobbdb