Received: (qmail 26108 invoked by uid 501); 16 May 2001 19:32:53 -0000
Message-Id: <20010516193253.26106.qmail@apache.org>
Date: 16 May 2001 19:32:53 -0000
From: Fred Koschara <wfredk@L5Development.com>
Reply-To: wfredk@L5Development.com
To: submit@bugz.apache.org
Subject: Angle brackets delimiting HTML FRAME command replaced with display strings
X-Send-Pr-Version: 3.110

>Number:         7729
>Category:       mod_include
>Synopsis:       Angle brackets delimiting HTML FRAME command replaced with display strings
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed May 16 12:40:05 PDT 2001
>Closed-Date:    Thu May 17 09:41:38 PDT 2001
>Last-Modified:  Thu May 17 09:41:38 PDT 2001
>Originator:     wfredk@L5Development.com
>Release:        1.3.14+
>Organization:
>Environment:
I have observed this bug in two environments:
1. BSD/OS sb946.web2010.com 4.2 BSDI BSD/OS 4.2 i386 unknown
   Apache/1.3.14 (Unix) PHP/4.0.4 FrontPage/4.0.4.3
2. win32 Apache 1.3.19

It is _not_ present under:
BSD/OS w153.web2010.com 4.0.1 BSDI BSD/OS 4.0 i386 unknown
Apache/1.3.11 (Unix) FrontPage/4.0.4.3 PHP/3.0.14
>Description:
The HTML shown below is from an "index.shtml" page that may be passed a query string to select the page to display in the "mainFrame" window.
It works correctly under Apache 1.3.11, but with Apache 1.3.14 (and .19), the '<' and '>' of the FRAME command are replaced with "&lt;" and "&gt;", respectively.
This causes the HTML FRAME command to be interpreted as text, rather than a FRAME command, and the window remains blank.

<FRAMESET ROWS="147,350*" COLS="126,657*" FRAMEBORDER="NO" BORDER="0" FRAMESPACING="0">
	<FRAME SCROLLING="NO" NORESIZE	NAME="cornerFrame"	SRC="/Logo.htm">
	<FRAME SCROLLING="NO" NORESIZE	NAME="topFrame"		SRC="/Top.htm">
	<FRAME SCROLLING="NO" NORESIZE	NAME="leftFrame"	SRC="/Left.htm">
<!--#if expr="$QUERY_STRING>''" -->
<!--#set var="FRAME_CMD" value="<FRAME SCROLLING=\"AUTO\" SRC=\"$QUERY_STRING\" NAME=\"mainFrame\">" -->
	<!--#echo var="FRAME_CMD" -->
<!--#else -->
	<FRAME SCROLLING="AUTO"			NAME="mainFrame"	SRC="/Home.htm">
<!--#endif -->
</FRAMESET>
>How-To-Repeat:
Functional page --
http://www.L5Software.com/go?KeywordGo
Broken page --
http://studiolines.com/index.shtml?/Members/SignUp.htm
>Fix:
I haven't had time to look into the code...
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open-closed
State-Changed-By: slive
State-Changed-When: Thu May 17 09:41:36 PDT 2001
State-Changed-Why:

See the new "encoding" option to the "echo" element
in the mod_include docs.

It was necessary to change the default behaviour to
prevent some nasty security problems.  See the
details on the "cross-site scripting" security problem.

Thanks for using Apache.
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]