Closed litvinovg closed 1 year ago
While this is indeed a problem, it is not traditionally the expected behavior that all HTML should be escaped in data property values. Traditionally there has been an expectation that certain tags like p, ul, ol, li and the heading levels can be used in properties like overview statement, teaching statement, etc. Labels are used for publication titles, and here it is often the case that ≤i≥ is used for scientific names and sub/sup are used for subscript and superscript.
In the GUI editor, AntiSamy is used to strip unwanted tags and scripts, and the client-side validation in TinyMCE is used as well. It sounds like something needs to be changed here for the label form. And of course none of guards against ingested values.
Before making a sweeping change, it probably is worth discussing whether the current anti-XSS library or something similar can also be used at display time without an objectionable performance penalty. In addition, it would be good to have specific annotations for properties where HTML (or different HTML subsets) is or isn't allowed.
Describe the bug If data property contain special characters, like " or html tags
To Reproduce Steps to reproduce the behavior:
</div>
in the label"</div>
characterExpected behavior Data property text should be displayed as as string value, not interfere with surrounding html.