Tag stripping and escaping of error messages and context. I was initially hoping to keep

formatting in the error messages from the parsers, when available, but the discrepancies
and differences in escaping (or lack thereof) calls for a more drastic approach. Thus:
* better escaping of opensp messages (including instances of rogue amps)
* tag stripping of formatting in html5 parser messages
* no named entities in source snippet
* template output is escaped

7 files changed, 13 insertions, 11 deletions

diff --git a/httpd/cgi-bin/check b/httpd/cgi-bin/check
index 143196e..9b08c68 100755
--- a/httpd/cgi-bin/check
+++ b/httpd/cgi-bin/check
@@ -14,7 +14,7 @@
 # This source code is available under the license at:
 #     http://www.w3.org/Consortium/Legal/copyright-software
 #
-# $Id: check,v 1.603 2008-08-26 16:09:17 ot Exp $
+# $Id: check,v 1.604 2008-09-09 12:55:33 ot Exp $
 
 #
 # Disable buffering on STDOUT!
@@ -191,7 +191,7 @@ Directory not readable (permission denied): @_r
 
   #
   # Strings
-  $VERSION =  q$Revision: 1.603 $;
+  $VERSION =  q$Revision: 1.604 $;
   $VERSION =~ s/Revision: ([\d\.]+) /$1/;
 
   #
@@ -903,8 +903,8 @@ sub html5_validate (\$) {
       my @child_nodes =  $message_node->childNodes;  
       foreach my $child_node (@child_nodes) {
         if ($child_node->localname eq "message") {
-          $html5_error_msg = $child_node->toString();
-          $html5_error_msg =~ s,</?message>,,gi;
+          $html5_error_msg= $child_node->toString();
+          $html5_error_msg =~ s,</?[^>]*>,,gsi;
         }
         if ($child_node->localname eq "elaboration") {
           $html5_error_expl = $child_node->toString();
@@ -1870,7 +1870,7 @@ sub report_errors ($) {
         $col = length($File->{Content}->[$err->{line}-1]);
         $col = 80 if ($col > 80);
         ($line, $col) = &truncate_line($File->{Content}->[$err->{line}-1], $col);
-        $line = &ent($line) . "&hellip;";
+        $line = &ent($line) . "…";
         $col = 0;
       }
       my $explanation = "";
@@ -2894,6 +2894,8 @@ sub error
   $err->{type} = $mess->{primary_message}{Severity};
   $err->{msg}  = $mess->{primary_message}{Text};
 
+  $err->{msg}  =~ s/"&"/"&amp;"/gsi;
+
   # our parser OpenSP is not quite XML-aware, or XML Namespaces Aware, 
   # so we filter out a few errors for now
 
diff --git a/share/templates/en_US/earl_xml.tmpl b/share/templates/en_US/earl_xml.tmpl
index fb50589..5f29e8d 100644
--- a/share/templates/en_US/earl_xml.tmpl
+++ b/share/templates/en_US/earl_xml.tmpl
@@ -46,7 +46,7 @@ X-W3C-Validator-Warnings: <TMPL_VAR NAME="valid_warnings_num"></TMPL_IF>
         </subject>
         <result rdf:resource="http://www.w3.org/2003/03/earl/1.00#fails" />
         <testCase rdf:resource="http://www.w3.org/Markup/" />
-        <note><TMPL_VAR NAME="msg"></note>
+        <note><TMPL_VAR NAME="msg" ESCAPE="HTML"></note>
       </Assertion>
     </asserts>
 </TMPL_LOOP>
diff --git a/share/templates/en_US/error_loop.tmpl b/share/templates/en_US/error_loop.tmpl
index 9e441ca..e1bad48 100644
--- a/share/templates/en_US/error_loop.tmpl
+++ b/share/templates/en_US/error_loop.tmpl
@@ -16,7 +16,7 @@
       <li<TMPL_IF NAME="class"> class="<TMPL_VAR NAME="class">"</TMPL_IF>>
           <span class="err_type"><TMPL_IF NAME="err_type_info"><img src="images/info_icons/info.png" alt="Info" title="Info" /></TMPL_IF><TMPL_IF NAME="err_type_warn"><img src="images/info_icons/warning.png" alt="Warning" title="Warning" /></TMPL_IF><TMPL_IF NAME="err_type_err"><img src="images/info_icons/error.png" alt="Error" title="Error" /></TMPL_IF></span>
         <em>Line <TMPL_VAR NAME="line" ESCAPE="HTML">, Column <TMPL_VAR NAME="char" ESCAPE="HTML"></em>:
-        <span class="msg"><TMPL_VAR NAME="msg"></span><TMPL_IF NAME="uri">(<a href="<TMPL_VAR NAME="uri" ESCAPE="HTML">">explain...</a>)</TMPL_IF>.<pre><code class="input"><TMPL_VAR NAME="src"></code></pre><TMPL_IF NAME="expl"><TMPL_VAR NAME="expl"></TMPL_IF>      </li>
+        <span class="msg"><TMPL_VAR NAME="msg" ESCAPE="HTML"></span><TMPL_IF NAME="uri">(<a href="<TMPL_VAR NAME="uri" ESCAPE="HTML">">explain...</a>)</TMPL_IF>.<pre><code class="input"><TMPL_VAR NAME="src"></code></pre><TMPL_IF NAME="expl"><TMPL_VAR NAME="expl"></TMPL_IF>      </li>
   </TMPL_LOOP>
 </TMPL_IF>    
 <TMPL_IF NAME="has_errors"></ol></TMPL_IF>
diff --git a/share/templates/en_US/error_loop_grouped.tmpl b/share/templates/en_US/error_loop_grouped.tmpl
index 7ce2359..8e44d25 100644
--- a/share/templates/en_US/error_loop_grouped.tmpl
+++ b/share/templates/en_US/error_loop_grouped.tmpl
@@ -12,7 +12,7 @@
                           <em>Line <a href="#line-<TMPL_VAR NAME="line" 
                               ESCAPE="HTML">"><TMPL_VAR NAME="line" ESCAPE="HTML"></a>,
                               column <TMPL_VAR NAME="char" ESCAPE="HTML"></em>:
-                              <span><TMPL_VAR NAME="msg"></span> 
+                              <span><TMPL_VAR NAME="msg" ESCAPE="HTML"></span> 
                               <pre><code class="input"><TMPL_VAR NAME="src"></code></pre>
                         </li>
               
diff --git a/share/templates/en_US/soap_output.tmpl b/share/templates/en_US/soap_output.tmpl
index eb74beb..d248ae8 100644
--- a/share/templates/en_US/soap_output.tmpl
+++ b/share/templates/en_US/soap_output.tmpl
@@ -24,7 +24,7 @@ X-W3C-Validator-Warnings: <TMPL_VAR NAME="valid_warnings_num"></TMPL_IF>
             <m:error>
                 <m:line><TMPL_VAR NAME="line"></m:line>
                 <m:col><TMPL_VAR NAME="char" ESCAPE="HTML"></m:col>
-                <m:message><TMPL_VAR NAME="msg"></m:message>
+                <m:message><TMPL_VAR NAME="msg" ESCAPE="HTML"></m:message>
                 <m:messageid><TMPL_VAR NAME="num" ESCAPE="HTML"></m:messageid>
                 <m:explanation>  <![CDATA[
                   <TMPL_VAR NAME="expl">
diff --git a/share/templates/en_US/ucn_output.tmpl b/share/templates/en_US/ucn_output.tmpl
index 78a62b3..72440e7 100644
--- a/share/templates/en_US/ucn_output.tmpl
+++ b/share/templates/en_US/ucn_output.tmpl
@@ -21,7 +21,7 @@ X-W3C-Validator-Warnings: <TMPL_VAR NAME="valid_warnings_num"></TMPL_IF>
 	    <error>
 	      <line><TMPL_VAR NAME="line"></line>
 	      <column><TMPL_VAR NAME="char" ESCAPE="HTML"></column>
-	      <message><TMPL_VAR NAME="msg"></message>
+	      <message><TMPL_VAR NAME="msg" ESCAPE="HTML"></message>
 	 	  <context><TMPL_VAR NAME="src"></context>
     <longmessage>
 		<p><a href="http://validator.w3.org/docs/errors.html#ve-<TMPL_VAR NAME="num">">Details...</a></p>
diff --git a/share/templates/en_US/xml_output.tmpl b/share/templates/en_US/xml_output.tmpl
index a316404..fd031ed 100644
--- a/share/templates/en_US/xml_output.tmpl
+++ b/share/templates/en_US/xml_output.tmpl
@@ -63,7 +63,7 @@ X-W3C-Validator-Warnings: <TMPL_VAR NAME="valid_warnings_num"></TMPL_IF>
 <TMPL_LOOP NAME="file_errors">
     <msg line="<TMPL_VAR NAME="line" ESCAPE="HTML">"
          col="<TMPL_VAR NAME="char" ESCAPE="HTML">"
-    ><TMPL_VAR NAME="msg"></msg>
+    ><TMPL_VAR NAME="msg" ESCAPE="HTML"></msg>
 </TMPL_LOOP>
   </messages>