Open ghost opened 4 years ago
Thanks for the issue! We'll take your request into consideration and follow up if we decide to tackle this issue.
To our amazing contributors: issues labeled type: bug
are always up for grabs, but for feature requests, please wait until we add a ready for dev
before starting to work on it.
To claim an issue to work on, please leave a comment. If you've claimed the issue and need help, please ping @thepracticaldev/oss and we will follow up within 3 business days.
For full info on how to contribute, please check out our contributors guide.
I reproduced this locally.
a.title
#=> "How to feel about <a ping>?
sanitize_and_decode
, which introduces the problem:
helper.sanitize_and_decode(a.title)
#=> "How to feel about <a>?</a>
HTMLEntities.new.decode(sanitize(str).to_str)
It's the sanitize
call that adds the closing tag and removes the attribute:
helper.sanitize(a.title)
#=> "How to feel about <a>?</a>"
sanitize
takes options for allowing specific tags and attributes, which brings ping
back.
helper.sanitize(a.title, attributes: %w[ping])
#=> "How to feel about <a ping>?</a>"
Weird thing is, preview
renders the title fine. But not on the published post.
I can escape the title with html entities (<...>
), which are rendered fine in the publication, but not in the preview.
The html entities in blog titles, are not reversed when using the share menu though. Resulting in tweets like this:
https://dev.to/smeijer/a-typescript-valueof-implementation-and-how-it-s-built-4gim
The problem can be seen at this article, where the title is "How to feel about \<a ping>?" but it displays as "How to feel about \<a>?\</a>".
If I change the title to "How to feel about \\<a ping\>?", it displays as "How to feel about \\<a>?\</a>".
Expected behavior: HTML in titles should be escaped so that it displays the same as it was typed in, but not otherwise affected.