Debian Bug report logs - #65151
lynx-ssl: <> in javascript causes premature </script>

version graph

Package: lynx; Maintainer for lynx is Atsuhito KOHDA <kohda@debian.org>; Source for lynx is src:lynx-cur.

Reported by: bglbv@my-deja.com

Date: Sat, 3 Jun 2000 14:50:51 UTC

Severity: normal

Fixed in version lynx/2.8.4-1

Done: Adrian Bunk <bunk@fs.tum.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Christoph Martin <christoph.martin@uni-mainz.de>:
Bug#65151; Package lynx-ssl. Full text and rfc822 format available.

Acknowledgement sent to bglbv@my-deja.com:
New Bug report received and forwarded. Copy sent to Christoph Martin <christoph.martin@uni-mainz.de>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: bglbv@my-deja.com
To: submit@bugs.debian.org
Subject: lynx-ssl: <> in javascript causes premature </script>
Date: 3 Jun 2000 00:53:28 -0000
Package: lynx-ssl
Version: 2.8.3.1-1
Severity: normal

(Probably affects plain lynx as well. w3m is OK. May require upstream fix.)

The following HTML document illustrates the problem:

<html>
<head>
<title>Leaky comments</title>
<script type="text/javascript">
<!--
var x = '<>';
//-->
</script>
</head>
<body>
Did you see that piece of JavaScript?
</body>
</html>

$ lynx -dump script.html

   '; //--> Did you see that piece of JavaScript?

It isn't just the >, as the HTML 4.01 standard suggests might be the case
with some browsers; I tried '< >' and '><', neither of which exhibits the
problem.

-- System Information
Debian Release: 2.2

Versions of the packages lynx-ssl depends on:
ii  debconf        0.2.80.15      Debian configuration management system
ii  libc6          2.1.3-10       GNU C Library: Shared libraries and Timezone
ii  libssl09       0.9.4-5        SSL shared libraries
ii  slang1         1.3.9-1        The S-Lang programming library - runtime ver
ii  zlib1g         1.1.3-5        compression library - runtime
	^^^ (Provides virtual package libz1)



Information forwarded to Christoph Martin <christoph.martin@uni-mainz.de>:
Bug#65151; Package lynx-ssl. Full text and rfc822 format available.

Acknowledgement sent to "H. Nanosecond" <aldomel@ix.netcom.com>:
Extra info received and forwarded to maintainer. Copy sent to Christoph Martin <christoph.martin@uni-mainz.de>. Full text and rfc822 format available.

Message #10 received at 65151-maintonly@bugs.debian.org (full text, mbox):

From: "H. Nanosecond" <aldomel@ix.netcom.com>
To: bglbv@my-deja.com
Cc: 65151-maintonly@bugs.debian.org
Subject: Re: lynx-ssl: <> in javascript causes premature </script>
Date: Tue, 6 Jun 2000 23:12:32 -0400 (EDT)
I checked on http://www.htmlhelp.com/tools/validator/
and it is valid HTML.

The problem is that lynx uses an old version of the libwww library from W3C.




Bug reassigned from package `lynx-ssl' to `lynx'. Request was from "H. Nanosecond" <aldomel@ix.netcom.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hudon <chrish@debian.org>:
Bug#65151; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Klaus Weide <kweide@enteract.com>:
Extra info received and forwarded to list. Copy sent to Christian Hudon <chrish@debian.org>. Full text and rfc822 format available.

Message #17 received at 65151@bugs.debian.org (full text, mbox):

From: Klaus Weide <kweide@enteract.com>
To: 65151@bugs.debian.org
Subject: patch for <> in <SCRIPT> contents - Debian bug #65151 (fwd)
Date: Sun, 9 Jul 2000 15:35:44 -0500 (CDT)

---------- Forwarded message ----------
Date: Sun, 9 Jul 2000 15:34:43 -0500 (CDT)
From: Klaus Weide <kweide@enteract.com>
To: lynx-dev@sig.net
Subject: patch for <> in <SCRIPT> contents - Debian bug #65151

See <http://cgi.debian.org/cgi-bin/bugreport.cgi?bug=65151>.
This appears to fix it.  The coulde should not have used
string->size-2 as an index without checking that it is valid
anyway.

Note: line numbers are off, expect 'patch' to report a big offset.

   Klaus


--- older/WWW/Library/Implementation/SGML.c	Tue May 23 01:29:41 2000
+++ WWW/Library/Implementation/SGML.c	Wed Jun 21 16:14:29 2000
@@ -2278,7 +2278,8 @@
 	    /*
 	    **	If complete match, end litteral.
 	    */
-	    if ((c == '>') && testtag && !testtag->name[string->size-2]) {
+	    if ((c == '>') && testtag &&
+		string->size > 1 && !testtag->name[string->size-2]) {
 #ifdef USE_PRETTYSRC
 		if (psrc_view) {
 		    PSRCSTART(abracket);PUTC('<');PUTC('/');PSRCSTOP(abracket);





Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hudon <chrish@debian.org>:
Bug#65151; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@cibalia.gkvk.hr>:
Extra info received and forwarded to list. Copy sent to Christian Hudon <chrish@debian.org>. Full text and rfc822 format available.

Message #22 received at 65151@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@cibalia.gkvk.hr>
To: 65151@bugs.debian.org
Subject: fix for this is upstream
Date: Fri, 29 Dec 2000 19:10:58 +0100
Hi,

Klaus Weide's patch is in lynx 2.8.4dev.5, this is the changelog entry:

* fix Debian bug #65151:  "<> in javascript causes premature </script>"
  (reported by H Nanosecond <aldomel@ix.netcom.com>) -KW

-- 
Digital Electronic Being Intended for Assassination and Nullification



Reply sent to Adrian Bunk <bunk@fs.tum.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to bglbv@my-deja.com:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #27 received at 65151-close@bugs.debian.org (full text, mbox):

From: Adrian Bunk <bunk@fs.tum.de>
To: 65151-close@bugs.debian.org
Subject: Bug#65151: fixed in lynx 2.8.4-1
Date: Sun, 19 Aug 2001 14:59:31 -0400
We believe that the bug you reported is fixed in the latest version of
lynx, which has been installed in the Debian FTP archive:

lynx_2.8.4-1.dsc
  to pool/main/l/lynx/lynx_2.8.4-1.dsc
lynx_2.8.4-1_i386.deb
  to pool/main/l/lynx/lynx_2.8.4-1_i386.deb
lynx_2.8.4-1.diff.gz
  to pool/main/l/lynx/lynx_2.8.4-1.diff.gz
lynx_2.8.4.orig.tar.gz
  to pool/main/l/lynx/lynx_2.8.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 65151@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@fs.tum.de> (supplier of updated lynx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 18 Aug 2001 16:22:26 +0200
Source: lynx
Binary: lynx
Architecture: source i386
Version: 2.8.4-1
Distribution: unstable
Urgency: high
Maintainer: Adrian Bunk <bunk@fs.tum.de>
Changed-By: Adrian Bunk <bunk@fs.tum.de>
Description: 
 lynx       - Text-mode WWW Browser
Closes: 21096 25968 40482 42859 45803 56639 63638 63641 65151 68542 80496 83249 83784 94604 105559
Changes: 
 lynx (2.8.4-1) unstable; urgency=high
 .
   * New maintainer.
   * New upstream release. (closes: #80496)
     This release fixes the following bugs:
     - %s, %t, %{charset} and %{encoding} substitutions for
       mailcap commands are now implemented. (closes: #21096)
     - The "<> in javascript causes premature </script>" problem
       is fixed. (closes: #65151)
     - A problem with the length of form fields is fixed.
       (closes: #68542)
     - The Japanese message catalog is now included.
       (closes: #63641)
     - The CPU-loop seems to be fixed. (closes: #25968)
   * /etc/lynx.cfg is now a conffile. (closes: #40482)
   * The default startfile is now the local helpfile (and there's
     no longer a question in the postinst).
     (closes: #105559, #83249, #83784)
   * Disable USE_MOUSE in the default configuration.
     (closes: #42859)
   * Set GLOBAL_EXTENSION_MAP and PERSONAL_EXTENSION_MAP in the
     default lynx.cfg. (closes: #94604)
   * Compiled with ncurses instead of slang.
   * Compiled with "--enable-warnings".
   * Compiled with "--enable-color-style".
   * Compiled with "--enable-default-colors". (closes: #45803)
   * Compiled with "--enable-file-upload". (closes: #56639)
   * Compiled with "--enable-ipv6".
   * Compiled with "--enable-justify-elts".
   * Compiled with "--enable-nested-tables".
   * Compiled with "--enable-read-eta".
   * Updated debian/copyright. (closes: #63638)
Files: 
 c3c28620d73877b3df1200f13a4ea1a3 607 web standard lynx_2.8.4-1.dsc
 90aa83a34ea7cb912386604e1ca73aa0 2556501 web standard lynx_2.8.4.orig.tar.gz
 daad12f30dd95c29c4deec45e851dcef 10777 web standard lynx_2.8.4-1.diff.gz
 833acf3c33c1cf99677f67cbae2966f7 1447276 web standard lynx_2.8.4-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7f+ulmfzqmE8StAARAgxaAJ4gMb+0/CAYkWzw5fEmuqe4Fu734wCfc4tG
A3dZ2Y1yC0N0vGvNBRO8YsE=
=c01O
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 03:25:44 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.