Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Presence of double quotes in benchmark name produces broken HTML report #235

Closed
adamgundry opened this issue Mar 11, 2021 · 5 comments · Fixed by #248
Closed

Presence of double quotes in benchmark name produces broken HTML report #235

adamgundry opened this issue Mar 11, 2021 · 5 comments · Fixed by #248
Labels
Bug HTML reports

Comments

@adamgundry
Copy link
Member

Similarly to #202 and #204, calling bench with a string containing double quotes leads to a HTML report that produces a JavaScript error in the browser console. Tested with criterion 1.5.9.0.

For example, generating a HTML report with this variant of the code from #202 illustrates the issue:

module Main where

import Criterion
import Criterion.Main

main :: IO ()
main = defaultMain
    [ env (return ()) $
       \ ~() -> bgroup "\"oops\"" [bench "dummy" $ nf id ()]
    ]
@RyanGlScott
Copy link
Member

This is a regression that was introduced in #232, which changed the way that JSON is escaped. cc'ing @considerate, the author.

@considerate
Copy link
Contributor

@RyanGlScott @adamgundry I see, the escaping of \ with respect to HTML, converting it to \u005c, broke escaping with respect to JSON. The easy fix would be to remove

criterion/Criterion/Report.hs

Line 132 in 2fdd87b

escapeJSON '\\' = "\\u005c" -- , and backslashes
but I'm not sure if that could cause issues with the report data escaping the HTML tag.

@considerate
Copy link
Contributor

considerate commented Mar 11, 2021
edited
Loading

I'll have to come back to this some other day when I'm more well rested. However, I've verified that the offending field parses correctly in the same browser that fails on the full report data:

Running this in the developer console of both chromium and firefox works for me:
JSON.parse('[{"reportName":"\u005c"oops\u005c"\u002fdummy","reportOutliers":{"highSevere":0,"highMild":0,"lowMild":0,"samplesSeen":43,"lowSevere":0}}]')

EDIT: This may be because JavaScript is unescaping the unicode escape sequences before JSON.parse is called. The JSON standard requires the escape sequence \" to be exactly those two characters, that is \u005c" won't get unescaped to \" before evaluating to the double quote character (https://tools.ietf.org/html/rfc8259 section 7). This means, that removing line 132 is likely motivated, my only concern is that it might allow for injecting HTML (I need to refresh my memory on what is an escape sequence in HTML).

@considerate
Copy link
Contributor

I think the same argument applies for the escape sequences \n \r \b \t, and \/ so this means that we should probably remove lines 128 through 132 from Report.hs unless these characters can be used to escape the HTML tag somehow, however I don't think that's possible.

@considerate considerate mentioned this issue Dec 6, 2021
Merged
@RyanGlScott
Copy link
Member

I've uploaded criterion-1.5.12.0 to Hackage with a fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug HTML reports
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

escape: remove too agressive JSON escaping considerate/criterion
3 participants
@considerate @adamgundry @RyanGlScott