[moin-user] ||<tableclass="=?utf-8?q?=E2=80=A6?="> processing broken in Moin 1.9.9
Paul Boddie
paul at boddie.org.uk
Wed Nov 29 11:57:16 EST 2017
On Wednesday 29. November 2017 17.28.16 Paul Boddie wrote:
>
> Actually, I must be mistaken. If you look at the source, there is
> superfluous quoting going on. But then again, the styling does seem to
> work, or at least the colour styles get parsed.
>
> Well, I'll get back to looking at the code again, I guess.
OK, I now see the problem. After considering what the attributes look like as
they pass through the formatter and parser code, it turned out that they were
always double-escaped. This led me to the following in the parser code:
def _getTableAttrs(self, attrdef):
...
attr, msg = wikiutil.parseAttributes(...)
See: MoinMoin/parser/text_moin_wiki.py
This in turn led me to the offending function:
def parseAttributes(request, attrstring, endtoken=None, extension=None):
...
# safely escape and quote value
if val[0] in ["'", '"']:
val = escape(val)
else:
val = '"%s"' % escape(val, 1)
See: MoinMoin/wikiutil.py
Since Werkzeug decided to offer only one kind of escaping, deprecating the
quote parameter, any escape invocation will now escape quotes regardless of
whether the quote parameter is specified or what its value is. So here, where
we don't want the quotes to be escaped, Werkzeug will just escape them anyway.
(Honestly, it is absurd that the Werkzeug code actively contradicts any
supplied value, offering a feeble "deprecation error" as it does so.)
I guess that the idea was to use werkzeug.utils.escape instead of cgi.escape
in Moin, but since it breaks compatibility, this idea doesn't make sense any
more. So I'm almost inclined to think that the code should go back to using
cgi.escape, not just in the above function but more widely.
However, we don't know which escape invocations rely on extra functionality in
Werkzeug's implementation such as returning an empty string if supplied with
None, or doing some coercions to strings and using special __html__ methods.
The latter two things seem less likely within Moin code, especially since Moin
was originally using cgi.escape and was thus oblivious to Werkzeug's magic.
So, there's a quick fix and a potentially better fix that might deal with
unnoticed breakage.
Paul
More information about the moin-user
mailing list