search

ShelbyTV / shelby-gt-web

the new shelby web front end for rolls <over />
shelby.tv
3 stars 0 forks source link

Inproperly escaping html entities #728

Closed matyus closed 11 years ago

matyus commented 11 years ago

See the &amp; ampersand html entity?

http://grab.by/hyFk

Roll:

http://localhost.shelby.tv:3000/user/4fc637879a725b755d001f75/personal_roll

Video: http://shl.by/m1p

Origin: https://twitter.com/LaughingSquid/status/269160511109750784

iceberg901 commented 11 years ago

It comes out of the api that way.

{
  status: 200,
  result: {
    id: "50a54487d104120f6700794c",
    public: true,
    messages: [
    {
      id: "50a54487d104120f6700794d",
      nickname: "laughingsquid",
      realname: "laughingsquid",
      user_image_url: "http://api.tumblr.com/v2/blog/laughingsquid.tumblr.com/avatar/512",
      text: "A Supercut of Gustavo Almadovar Saying His Name Again &amp; Again",
      origin_network: "tumblr",
      origin_id: "35786945253",
      origin_user_id: "laughingsquid",
      user_id: "4fc637879a725b755d001f75",
      public: true,
      user_has_shelby_avatar: false,
      created_at: "1h ago"
    }
    ]
  }
}

The front end is doing the right thing, which is taking any stuff in the content that could be construed as html and escaping it so that it doesn't render as HTML. Otherwise, people could put in stuff in their comments like <img src="www.pornsite.com/images/apictureofhugeboobs.png" /> and we'd really render that image.

But don't know why this would be stored as & in the db in the firstplace, so let's create a corresponding issue on the backend.