Bug#647128: html comments and the hashes of doom

Joey Hess joeyh at debian.org
Sun Oct 30 16:37:52 UTC 2011 

Package: libtext-markdown-perl
Version: 1.0.26-1
Severity: normal

The attached file has a big nasty html block inside it, of the sort that many
large websites trick users into pasting into the middle of their pages for
various nefarious reasons. (This one may or may not do something evil. Who
knows anymore?)

Markdown helpfully renders it like this:

<!-- Start of Flickr Badge -->
<style type="text/css">
3391475c37cb4a23fc28006b36537032
8c116bb6db0f071ff475dcb93239995a
3476eed85949de6c8201b49925742071
.flickr_badge_image {text-align:center !important;}
.flickr_badge_image img {border: 1px solid black !important;}
08bec307241f45b5025456e9ca24c856
...
</style>
85ec526d511794b64b22085214dbddfd
<!-- End of Flickr Badge -->

I assume that markdown is *not* employing advanced webbug blocking
heuristics and instead has a wacky bug of its own with certian embedded
html that it's supposed to pass through unmangled. Note that removing
the leading and trailing html comments avoids the bug; so does wrapping
the thing in span tags. But to a user editing their markdown page,
neither is obvious.

I had earlier seen a similar bug with the old perl markdown;
its bug report is #380212. (http://bugs.debian.org/380212/)

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libtext-markdown-perl depends on:
ii  perl  5.12.4-6

libtext-markdown-perl recommends no packages.

Versions of packages libtext-markdown-perl suggests:
ii  libtext-multimarkdown-perl  1.000034-1

-- no debconf information

-- 
see shy jo
-------------- next part --------------
hello markdown

<!-- Start of Flickr Badge -->
<style type="text/css">
#flickr_badge_source_txt {padding:0; font: 11px Arial, Helvetica, Sans serif; color:#666666;}
#flickr_badge_icon {display:block !important; margin:0 !important; border: 1px solid rgb(0, 0, 0) !important;}
#flickr_icon_td {padding:0 5px 0 0 !important;}
.flickr_badge_image {text-align:center !important;}
.flickr_badge_image img {border: 1px solid black !important;}
#flickr_www {display:block; text-align:left; padding:0 10px 0 10px !important; font: 11px Arial, Helvetica, Sans serif !important; color:#3993ff !important;}
#flickr_badge_uber_wrapper a:hover,
#flickr_badge_uber_wrapper a:link,
#flickr_badge_uber_wrapper a:active,
#flickr_badge_uber_wrapper a:visited {text-decoration:none !important; background:inherit !important;color:#3993ff;}
#flickr_badge_wrapper {background-color:#ffffff;border: solid 1px #000000}
#flickr_badge_source {padding:0 !important; font: 11px Arial, Helvetica, Sans serif !important; color:#666666 !important;}
</style>
<table id="flickr_badge_uber_wrapper" cellpadding="0" cellspacing="10" border="0"><tr><td><a href="http://www.flickr.com" id="flickr_www">www.<strong style="color:#3993ff">flick<span style="color:#ff1c92">r</span></strong>.com</a><table cellpadding="0" cellspacing="10" border="0" id="flickr_badge_wrapper">
<tr>
<script type="text/javascript" src="http://www.flickr.com/badge_code_v2.gne?show_name=1&count=3&display=random&size=t&layout=h&source=user_set&user=16105436%40N00&set=72157627638459707&context=in%2Fset-72157627638459707%2F"></script>
<td id="flickr_badge_source" valign="center" align="center">
<table cellpadding="0" cellspacing="0" border="0"><tr>
<td width="10" id="flickr_icon_td"><a href="http://www.flickr.com/photos/hendry/sets/72157627638459707/"><img id="flickr_badge_icon" alt="Kai Hendry's Mongol Rally 2011 photoset" src="http://farm1.static.flickr.com/33/buddyicons/16105436@N00.jpg?1269209672#16105436@N00" align="left" width="48" height="48"></a></td>
<td id="flickr_badge_source_txt">Kai Hendry's <a href="http://www.flickr.com/photos/hendry/sets/72157627638459707/">Mongol Rally 2011</a> photoset</td>
</tr></table>
</td>
</tr>
</table>
</td></tr></table>
<!-- End of Flickr Badge -->

goodbye markdown
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20111030/6ecfcf52/attachment.pgp>

More information about the pkg-perl-maintainers mailing list