Text in angle brackets doesn't appear in IdentiFox

Issue #2 new
Aaron Williamson
repo owner created an issue

When a dent contains <text in angle brackets>, IdentiFox swallows everything between "<" and ">", inclusive. This presumably happens with the javascript element is built.

Comments (3)

  1. Aaron Williamson reporter

    This bug disappears if you comment out line 906 (in commit 27):

    text = this._unescapeHTML.unescape(text.replace(/&amp;/g,"&"));

    I assume the unescape function is causing the content of angle brackets to be treated like html tags and removed, but I don't know if this line is necessary, so I'm hesitant to commit the change. Any thoughts?

  2. mattk

    someone could easily setup a laconi.ca install to produce evil messages, so you want to do some sort of escaping on the clientside.

    This is happening in the unescape though, so I wonder if you need the unescape. Once you've treated the potentially problematic tags as html entities, what's to gain by turning them back into tags?

  3. Anonymous

    Yeah, that's what I'm thinking -- if the text is coming through unescaped despite this line, I don't know what it's supposed to be doing. Ampersands also seem to appear just fine without the text.replace.

  4. Log in to comment