Open SaqibHussain opened 7 years ago
smiska
commented
7 years ago Hi @SaqibHussain, You are right, the generated HTML gets sanitized and the second example is rendered for the image. We are working on resolving this this issue. In case you use our editor through API integration it is possible to generate the template without sanitizing. This will not escape the special characters.
SaqibHussain
commented
7 years ago Hi @smiska Thanks for your response. We do go through your API to generate the HTML so this might be a temporary workaround. If possible, could you provide some additional information or point me towards some documentation on what your sanitisation process covers? We're reluctant to disable this functionality completely in case some of our customers rely on it.
smiska
commented
7 years ago Hi @SaqibHussain I'll ask my senior colleagues and my supervisor about what's covered in our sanitization process and update you on this, but right now it's a bit difficult to discuss it with them because of our work schedule. I expect to be able to provide a more detailed response next week.
smiska
commented
7 years ago Hi @SaqibHussain Unfortunately we do not have a documentation on the sanitization, but it is only necessary if you (or your customers) would use for publishing web version. In that case configuring a third-party sanitize service like Google Caja or XSS may be a good option to have full control on the sanitization process.
SaqibHussain
commented
7 years ago @smiska okay, thank you for your reply.
Another question, since you have identified this as an issue, do you have any indication of when a fix can be released? Even if you are just able to provide an indication of the priority of this item for you, it will let us better understand whether we need to look into making a code change ourselves or waiting on a fix from EDM?
SaqibHussain
commented
6 years ago @smiska please could you provide an update on the status of this bug? We still have customers waiting for this to be resolved. Thanks.
smiska
commented
6 years ago Hi @SaqibHussain , My apologies for the delay in replying. I briefed a colleague about the details of this issue, when I hear back from him I'll let you know immediately. I'm sorry for any inconveniences caused.
smiska
commented
6 years ago Hi @SaqibHussain , I could discuss our policy for sanitization with our CTO, and as the needs of our partners differ, unfortunately we can't do this update for you. As such changes would affect multiple partners sanitization process, we must leave custom implementations to be implemented on the partner's side.
If an image is given the following URL: www.springcapitalpartners.com/Our-Funds?signedin=true#/Polen-Capital-Focus-US-Growth-Fund
When the HTML is rendered, this link has been changed to http://www.springcapitalpartners.com/Our-Funds?signedin=true%23%2FPolen-Capital-Focus-US-Growth-Fund#
It looks like the #/ is being URL encoded because it appears after the ?
By our understanding, using a fragment after the query string is valid and should not be getting interpreted as part of the query string.
Please can you advise?