Do not escape WHOIS output

Both WhoisAction and WhoisHttpAction set the HTTP response content type to "text/plain". There is no need to defensively escape the content. In fact, by escaping the content, it creates more problems down the line. When used in a website, the response should be written into a DOM node by setting the textContent of the node, which automatically escapes the content. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=196743398
2026-01-09 15:43:52 +00:00 · 2018-05-15 15:51:31 -07:00
parent f1219120ea
commit 7388958df7
14 changed files with 26 additions and 55 deletions
--- a/java/google/registry/whois/WhoisResponseImpl.java
+++ b/java/google/registry/whois/WhoisResponseImpl.java
@@ -17,7 +17,6 @@ package google.registry.whois;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Strings.isNullOrEmpty;
 import static com.google.common.collect.ImmutableList.toImmutableList;
-import static com.google.common.html.HtmlEscapers.htmlEscaper;

 import com.google.common.base.Joiner;
 import google.registry.model.eppcommon.Address;
@@ -187,16 +186,9 @@ abstract class WhoisResponseImpl implements WhoisResponse {
      return emitNewline();
    }

-    /**
-     * Remove potentially dangerous stuff from WHOIS output fields.
-     *
-     * <ul>
-     * <li>Remove ASCII control characters like {@code \n} which could be used to forge output.
-     * <li>Escape HTML entities, just in case this gets injected poorly into a webpage.
-     * </ul>
-     */
+    /** Remove ASCII control characters like {@code \n} which could be used to forge output. */
    private String cleanse(String value) {
-      return htmlEscaper().escape(value).replaceAll("[\\x00-\\x1f]", " ");
+      return value.replaceAll("[\\x00-\\x1f]", " ");
    }

    @Override