robintown
commented
3 years ago You should probably go ahead and open an issue for Android too
Open xenofem opened 3 years ago
robintown
commented
3 years ago You should probably go ahead and open an issue for Android too
xenofem
commented
3 years ago I've been talking with people further, and there seems to be some disagreement over whether it's senders' responsibility not to include spoilers in plaintext, or receivers' responsibility not to display plaintext when there's spoilers. The existing MSCs on spoilers don't make it clear whose job it should be to handle this correctly, and seem to imply the former, but the consensus among Element maintainers and among people in #matrix-spec:matrix.org seems to be the latter option. So this issue is probably a wontfix. Instead, I'm working on PRs for Element and for FluffyChat to not display the plaintext when there are spoilers. I'm waiting to close this issue until matrix-org/matrix-doc#3124 gets merged, or is at least clearly headed that way, just in case the informal consensus changes.
Cadair
commented
1 month ago The merged spec states:
When sending a spoiler, clients SHOULD provide the fallback in the body as shown above (including the reason). The fallback SHOULD NOT include the text containing spoilers since body might show up in text-only clients or in notifications. To prevent spoilers showing up in such situations, clients are strongly encouraged to first upload the text containing spoilers to the media repository, then reference the mxc:// URI in a markdown-style link, as shown above.
So at least Element-web has this wrong as it sends the plain text spoiler content in the clear.
HarHarLinks
commented
1 month ago which however would not fix spoilers being shown in element web (and maybe others, i did not check), because in the room list's message preview it will not show the (fallback) body, e.g. "body": "*testing formatting*", but a stripped version of the formatted_body , e.g. "formatted_body": "<em>testing formatting</em>", minus any HTML tags, which results in
Description
When a spoilered message is sent with the
/spoilercommand, the plain-text fallback in thebodykey contains the content of the spoiler verbatim, with no attempt at obfuscation. This fallback is displayed in notifications, channel previews, and other contexts in Element and in many other Matrix clients, making it very likely that users will be exposed to potentially upsetting content without their active consent. For this reason, matrix-org/matrix-doc#2010 recommends obfuscating the spoilered content in the fallback, to preserve the semantics of the spoiler.This issue intersects with vector-im/element-web#12034 and vector-im/element-web#14447 , but is solving a slightly different problem. My goal is to ensure that messages sent by Element won't trigger bugs along the lines of vector-im/element-web#12034 and vector-im/element-web#14447 in any Matrix client, including Element. Separate work will still need to be done so that Element can better handle messages from other clients that don't follow the recommendations set out in MSC2010, and other clients should also do that work, but following the MSC's recommendations ourselves is still valuable.
Steps to reproduce
/spoilercommandExpected: Spoilered content should not be shown anywhere, in any client, unless I've deliberately clicked on a spoiler to view it.
What happens: Spoilered content sent in Element is directly visible in notifications and channel previews, in both Element and other clients.
Logs being sent: no, not needed
Sending a spoilered message (this screenshot is in Android, but the behavior in the web version of Element is basically the same):
Viewing the message in the chat:
Viewing the channel in Element's channel overview:
Viewing the channel in FluffyChat's channel overview:
Version information
For the web app: