103

I was testing some code on Coliru, and I got a strange output. I went down the code and could reproduce it with this simple piece of code:

int main()
{
    π
}

The output on g++:

output on g++

clang:

output on clang

For instance, using just pi (without the address-of) shows the expected result:

main.cpp:3:5: error: 'pi' was not declared in this scope
    pi;
    ^

I tried to reproduce this on my machine, using g++ 4.9.2 and on others sites but I could not.

Is this some bug on this site, some config of these compilers ?

And why only using the address-of operator (&) shows this symbol ?

thecoshman
  • 8,394
  • 8
  • 55
  • 77
hlscalon
  • 7,304
  • 4
  • 33
  • 40
  • 23
    What happens if you put in `&tm;`? Do you get ™ showing up? If so your output is being interpreted as HTML. – tadman Mar 05 '15 at 19:18
  • 13
    @tadman According to this [site](http://www.ascii.cl/htmlcodes.htm) ™ does not have an HTML "name" code, just an HTML number code: ™ This gives the expected [output](http://coliru.stacked-crooked.com/a/e4b5054d82c00595). – simon Mar 05 '15 at 19:22
  • 53
    ahaha this is hilarious – Lightness Races in Orbit Mar 05 '15 at 19:27
  • You think they might be using `innerHTML` to produce the output? – David G Mar 05 '15 at 19:35
  • The HTML entity code for the trademark symbol is `™`. – Stan Rogers Mar 05 '15 at 20:26
  • 1
    @LightnessRacesinOrbit No it doesn't. Tags are being "sanitized" manually: `text += pre_open + line.replace(//g, '&gt') + pre_close;` – Random832 Mar 05 '15 at 22:38
  • 4
    @Random832: That's what I get for browsing the DOM rather than viewing source. `(╯°□°)╯︵ ┻━┻` – Lightness Races in Orbit Mar 05 '15 at 22:50
  • I almost got caught by that too, but since i _knew_ that tags work in pre, I looked for an alternate explanation. The DOM browser (I assume - I was using Firefox's built-in inspector) doesn't bother to show it as an entity because it is already showing it as a text node and therefore not as an element. – Random832 Mar 05 '15 at 22:51
  • 3
    For the record, several people who have commented here know the Coliru maintainer. He is now aware of the issue. Thank you for raising it. – Lightness Races in Orbit Mar 05 '15 at 22:51
  • 1
    @Random832: Admittedly I was quite surprised that `
    ` would inherently sanitise anything but `
    `, my conclusion for the split second between observation and posting the comment. But there's a cost/benefit ratio to checking these things out. I'm just glad I don't have to use HTML much any more: it's been a good decade since that was anywhere near the forefront of my profession.     – Lightness Races in Orbit Mar 05 '15 at 22:52
  • 2
    Oh no! The Praetorians are here: http://en.wikipedia.org/wiki/The_Net_(1995_film) – Pieter Geerkens Mar 06 '15 at 14:38
  • Ohhh.... **please** try putting some Javascript in... – chiastic-security Mar 12 '15 at 14:17

2 Answers2

114

It's a bug on the site, as the compiler's output is not properly escaped. The compiler should output π, but that's valid HTML, producing the pi symbol you see.

Puppy
  • 144,682
  • 38
  • 256
  • 465
  • can we get a live demo on somewhere like coliru to show this? :P – thecoshman Mar 06 '15 at 08:37
  • 9
    And quite often forgotten escaping turns out to be a security problem. So whenever one comes across it, it is polite to notify the site administrator about it. – kasperd Mar 06 '15 at 16:49
50

π is html code for π. It looks like someone forgot to escape things properly.

  • 8
    700 and a gold badge. What's really unpleasant is that this guy could have used that a lot more than me, – Puppy Mar 12 '15 at 21:01
  • 3
    @DavidRicherby - rep is overrated, and doesn't put food on the table. – dtech Jan 30 '16 at 20:36