From c30087fa75fe15ff61e6c334c921497a55372eb7 Mon Sep 17 00:00:00 2001
From: root <root@rbsd.ankarstrom.se>
Date: Tue, 27 Apr 2021 08:21:06 +0000
Subject: Clarify CAVEATS

---
 README               | 23 ++++++++++++++++++++---
 lib/Apache/Inject.pm | 24 ++++++++++++++++++++----
 2 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/README b/README
index 4a663c0..ebbea98 100644
--- a/README
+++ b/README
@@ -116,10 +116,27 @@ OPERATION
     and forwards their combined contents.
 
 CAVEATS
-    Apache::Inject::Filter uses regular expressions to determine the proper
+    Apache::Inject::Filter uses a regular expression to determine the proper
     location of the injected header. It supports all valid HTML. However, it
-    does not take into account that embedded CSS and JavaScript code can
-    contain strings that look like valid opening and closing HTML tags.
+    does not parse embedded CSS and JavaScript, which means that it is
+    *possible* to construct an example where it will fail:
+
+      <script>
+      /* this looks like the closing tag for script: </script> */
+      /* this looks like an opening tag for a new element: <title> */
+      </script>
+      <body>
+      This is where the header <i>should</i> be inserted.
+      <script>
+      /* this looks like the closing tag for the title: </title>
+         This is where the header is <i>actually</i> inserted.
+      */
+      </script>
+      </body>
+
+    This specific type of document, however, is *incredibly* unlikely. In
+    this case, an ad-hoc solution is simpler, more efficient and more
+    maintainable than a general one.
 
     On FreeBSD, you may need to enable the accf_http kernel module in order
     for the tests to work. Note that Apache::Inject works fine without the
diff --git a/lib/Apache/Inject.pm b/lib/Apache/Inject.pm
index bf50728..1d6f49b 100644
--- a/lib/Apache/Inject.pm
+++ b/lib/Apache/Inject.pm
@@ -182,11 +182,27 @@ intelligently and forwards their combined contents.
 
 =head1 CAVEATS
 
-Apache::Inject::Filter uses regular expressions to determine the
+Apache::Inject::Filter uses a regular expression to determine the
 proper location of the injected header.  It supports all valid HTML.
-However, it does not take into account that embedded CSS and
-JavaScript code can contain strings that look like valid opening
-and closing HTML tags.
+However, it does not parse embedded CSS and JavaScript, which means
+that it is I<possible> to construct an example where it will fail:
+
+  <script>
+  /* this looks like the closing tag for script: </script> */
+  /* this looks like an opening tag for a new element: <title> */
+  </script>
+  <body>
+  This is where the header <i>should</i> be inserted.
+  <script>
+  /* this looks like the closing tag for the title: </title>
+     This is where the header is <i>actually</i> inserted.
+  */
+  </script>
+  </body>
+
+This specific type of document, however, is I<incredibly> unlikely.
+In this case, an ad-hoc solution is simpler, more efficient and
+more maintainable than a general one.
 
 On FreeBSD, you may need to enable the accf_http kernel module in
 order for the tests to work.  Note that Apache::Inject works fine
-- 
cgit v1.2.3