Re: [NSE] http-feed.nse

[George Chatzisofroniou <sophron () latthi com>]

On Sat, Aug 17, 2013 at 10:14:38AM -0700, David Fifield wrote: 
> To be clear, the & is not the reason the feed wasn't detected with
> the previous version of the script, right? It was because the script
> lacked an "application/atom+xml" pattern.

It was both. Even if there was the right pattern, the url won't get parsed
correcly. Try commenting out "l = l:gsub("&", "&")" to see it by yourself.
 
> The right way to get rid of the & is with an HTML parser. Since we
> don't have that, I think I would prefer that we not interpret the string
> at all in the script. If we handle &, we really should handle <
> and > and especially " and ' that are likely to appear in
> attribute values. (Granted, & is the most likely and most
> problematic of all of these.) But there are also numeric character
> entities and the large number of HTML named entities too.
>
> Decoding just & and nothing else creates ambiguities, for example
> both of the input strings
>       http://example.com/?a=b"=d
>       http://example.com/?a=b"c=d
> map to the same output string
>       http://example.com/?a=b"=d
>
> I agree with you that it shouldn't be handled by just this script, in
> just this place.

Yes, you are right. I don't like it either. I removed it from the script.

> In HTML5 there are some rules about when an ampersand is just an
> ampersand and when it is part of a character reference.
> http://www.whatwg.org/specs/web-apps/current-work/multipage/syntax.html#syntax-ambiguous-ampersand
> http://www.w3.org/International/questions/qa-escapes#bytheway

It looks like HTML5 rules are different from HTML4. According to HTML4 specs,
encoding an ampersand is always required, even though most of developers ignore
this.

-- 
George Chatzisofroniou
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/