HTML clobbered instead of escaped in article titles

forem / forem

For empowering community 🌱

https://forem.com

GNU Affero General Public License v3.0

21.97k stars 4.04k forks source link

HTML clobbered instead of escaped in article titles #8705

Open ghost opened 4 years ago

ghost commented 4 years ago

The problem can be seen at this article, where the title is "How to feel about \<a ping>?" but it displays as "How to feel about \<a>?\</a>".

If I change the title to "How to feel about \\<a ping\>?", it displays as "How to feel about \\<a>?\</a>".

Expected behavior: HTML in titles should be escaped so that it displays the same as it was typed in, but not otherwise affected.

OS: FreeBSD
Browser: Firefox
Version: 77.0.1

rhymes commented 4 years ago

Thanks for the issue! We'll take your request into consideration and follow up if we decide to tackle this issue.

To our amazing contributors: issues labeled type: bug are always up for grabs, but for feature requests, please wait until we add a ready for dev before starting to work on it.

To claim an issue to work on, please leave a comment. If you've claimed the issue and need help, please ping @thepracticaldev/oss and we will follow up within 3 business days.

For full info on how to contribute, please check out our contributors guide.

citizen428 commented 4 years ago

I reproduced this locally.

We store the title correctly.

a.title
#=> "How to feel about <a ping>?

The view uses a helper called sanitize_and_decode, which introduces the problem:
```
helper.sanitize_and_decode(a.title)
#=> "How to feel about <a>?</a>
```
This helper was added in #7593 to address #7175.
The helper does the following:
```
HTMLEntities.new.decode(sanitize(str).to_str)
```
It's the sanitize call that adds the closing tag and removes the attribute:
```
helper.sanitize(a.title)
#=> "How to feel about <a>?</a>"
```
sanitize takes options for allowing specific tags and attributes, which brings ping back.
```
helper.sanitize(a.title, attributes: %w[ping])
#=> "How to feel about <a ping>?</a>"
```

smeijer commented 3 years ago

Weird thing is, preview renders the title fine. But not on the published post.

I can escape the title with html entities (<...>), which are rendered fine in the publication, but not in the preview.

The html entities in blog titles, are not reversed when using the share menu though. Resulting in tweets like this:

https://dev.to/smeijer/a-typescript-valueof-implementation-and-how-it-s-built-4gim