[moin-user] ||<tableclass="=?utf-8?q?=E2=80=A6?="> processing broken in Moin 1.9.9

Paul Boddie paul at boddie.org.uk
Wed Nov 29 11:57:16 EST 2017


On Wednesday 29. November 2017 17.28.16 Paul Boddie wrote:
> 
> Actually, I must be mistaken. If you look at the source, there is
> superfluous quoting going on. But then again, the styling does seem to
> work, or at least the colour styles get parsed.
> 
> Well, I'll get back to looking at the code again, I guess.

OK, I now see the problem. After considering what the attributes look like as 
they pass through the formatter and parser code, it turned out that they were 
always double-escaped. This led me to the following in the parser code:

def _getTableAttrs(self, attrdef):
  ...
  attr, msg = wikiutil.parseAttributes(...)

See: MoinMoin/parser/text_moin_wiki.py

This in turn led me to the offending function:

def parseAttributes(request, attrstring, endtoken=None, extension=None):
  ...
    # safely escape and quote value
    if val[0] in ["'", '"']:
        val = escape(val)
    else:
        val = '"%s"' % escape(val, 1)

See: MoinMoin/wikiutil.py

Since Werkzeug decided to offer only one kind of escaping, deprecating the 
quote parameter, any escape invocation will now escape quotes regardless of 
whether the quote parameter is specified or what its value is. So here, where 
we don't want the quotes to be escaped, Werkzeug will just escape them anyway.

(Honestly, it is absurd that the Werkzeug code actively contradicts any 
supplied value, offering a feeble "deprecation error" as it does so.)

I guess that the idea was to use werkzeug.utils.escape instead of cgi.escape 
in Moin, but since it breaks compatibility, this idea doesn't make sense any 
more. So I'm almost inclined to think that the code should go back to using 
cgi.escape, not just in the above function but more widely.

However, we don't know which escape invocations rely on extra functionality in 
Werkzeug's implementation such as returning an empty string if supplied with 
None, or doing some coercions to strings and using special __html__ methods. 
The latter two things seem less likely within Moin code, especially since Moin 
was originally using cgi.escape and was thus oblivious to Werkzeug's magic.

So, there's a quick fix and a potentially better fix that might deal with 
unnoticed breakage.

Paul


More information about the moin-user mailing list