[jitsi-dev] [Bug] Smiley Replacement doesn't escape input


#1

I seem to have uncovered an issue with how emoticons are parsed (presumably package net.java.sip.communicator.impl.replacement.smiley)

If the string ';(' (without quotes) is a registered emoticon (and it is by default at net.java.sip.communicator.impl.replacement.smiley.Resources#51) then the output is a sad face as you'd expect.

If the user input is '<(' however the output is the character '<' followed by a sad face, which is not intentional behaviour.

This happens because the '<' character expands to '&lt;', making the user input string '&lt;(' which contains the ';('. Jitsi renders the '&lt' as a literal '<' and parses the remaining ';(' as an image.

The solution for this would be to prefilter the characters given to the replacement service, as it should presumably only replace decoded text, not pieces of markup such as entity references, html tags and so forth. Unfortunately I am not yet familiar enough with Jitsi to create a suitable patch).

I hope this helps diagnose the issue for someone more adept at understanding the replacement system.

···

----
Toby Pinder | Software Developer
Smith Electric Vehicles
E. toby.pinder@smithelectric.com
W. www.smithelectric.com


#2

Hello,

Thanks for noticing!
I will take a look into this one.

Regards,
Marin

···

On Fri, Oct 25, 2013 at 6:06 PM, Toby Pinder <Toby.Pinder@smithelectric.com>wrote:

I seem to have uncovered an issue with how emoticons are parsed
(presumably package net.java.sip.communicator.impl.replacement.smiley)

If the string ';(' (without quotes) is a registered emoticon (and it is by
default at net.java.sip.communicator.impl.replacement.smiley.Resources#51)
then the output is a sad face as you'd expect.

If the user input is '<(' however the output is the character '<' followed
by a sad face, which is not intentional behaviour.

This happens because the '<' character expands to '&lt;', making the user
input string '&lt;(' which contains the ';('. Jitsi renders the '&lt' as a
literal '<' and parses the remaining ';(' as an image.

The solution for this would be to prefilter the characters given to the
replacement service, as it should presumably only replace decoded text, not
pieces of markup such as entity references, html tags and so forth.
Unfortunately I am not yet familiar enough with Jitsi to create a suitable
patch).

I hope this helps diagnose the issue for someone more adept at
understanding the replacement system.

----
Toby Pinder | Software Developer
Smith Electric Vehicles
E. toby.pinder@smithelectric.com
W. www.smithelectric.com

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev