Maxim Kirillov <[EMAIL PROTECTED]> writes:
> for this document:
> ----------------
> <html>
> <script type="text/javaScript" language="javascript">
> document.write('<input type="hidden" name="oRef" value="' +
> document.referrer.replace(/"/gi,'') + '" />');
> </script>
> aaa
> </html>
> -----------------
>
> setting disable-script = on
>
> produces the following:
> ----------------------
> <html>
> <!-- WWWOFFLE (disable-script) - script type="text/javaScript"
> language="javascript" -->
> <!-- WWWOFFLE (disable-script) - ... -->
> ----------------------
>
> this is wrong.
>
> the real world example is here:
> http://www.microsoft.com/downloads/details.aspx?FamilyID=aea55f2f-07b5-4a8c-8a44-b4e1b196d5c0&displaylang=en
>
> looks like parser cannot detect the script end
First let me say that I don't understand Javascript language rules.
What exists in WWWOFFLE is what makes sense for a normal language with
respect to quote characters " and '. This means that they must be
matched at the start and end of the string that they are quoting,
within a string they are ignored (if they don't match the one that
started the string) and if they are prefixed with a '\' character they
are ignored.
The problem here is that the quote characters are not matched (or as
WWWOFFLE sees them they are not matched). I don't know if this is
legal JavaScript or not.
document.write('<input type="hidden" name="oRef" value="' +
document.referrer.replace(/"/gi,'') + '" />');
^ ^
^ ^ ^
| |
| | |
start(') finish(')
start(") finish(") start(')
In the function call of document.referrer.replace() there is no way
that WWWOFFLE can tell that /"/ does not contain just a normal opening
quote that should have a matching end somewhere.
It wouldn't work for WWWOFFLE to recognise '/' as a character that
should have a matching end.
There might be other characters with the " within the two '/' so that
looking for '/"/' only fixes this one problem, but probably breaks
something else.
It wouldn't make sense for WWWOFFLE to have a list of which functions
can take arguments like this (there might not be such a list anyway).
WWWOFFLE cannot just match '</script>' within a quoted string as being
the end of a script because it might not be.
WWWOFFLE cannot just have a maximum string limit because this wouldn't
work either.
I cannot see a solution to this problem.
--
Andrew.
----------------------------------------------------------------------
Andrew M. Bishop [EMAIL PROTECTED]
http://www.gedanken.demon.co.uk/
WWWOFFLE users page:
http://www.gedanken.demon.co.uk/wwwoffle/version-2.9/user.html
