Plume
/
Plume
8
16
Fork 22
Code Issues 174 Pull Requests 8 Releases 8 Wiki Activity

Labels Milestones

Escape expressions in @Html #767

Merged
KitaitiMakoto merged 1 commits from html-escape into master 4 years ago
Conversation 2 Commits 1 Files Changed 1
KitaitiMakoto commented 4 years ago (Migrated from github.com)

I found "use your Fediverse account" link at https://plume.nixnet.xyz/~/BlogOwl/why-i-don't-have-a-personal-website is broken. This is because URI in HTML attributes is not escaped.

I know characters which need to be escaped is not allow in user name, so escape(&uri!(user::details: name = &author.fqn).to_string()), might be unnecessary. But escaping all expressions in HTML template is web application basis. For instance, in the future, special chars in user name might get allowed and at the time this link will be broken.

I found "use your Fediverse account" link at https://plume.nixnet.xyz/~/BlogOwl/why-i-don't-have-a-personal-website is broken. This is because URI in HTML attributes is not escaped. I know characters which need to be escaped is not allow in user name, so `escape(&uri!(user::details: name = &author.fqn).to_string()),` might be unnecessary. But escaping all expressions in HTML template is web application basis. For instance, in the future, special chars in user name might get allowed and at the time this link will be broken.
codecov[bot] commented 4 years ago (Migrated from github.com)

Codecov Report

Merging #767 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #767   +/-   ##
=======================================
  Coverage   38.99%   38.99%           
=======================================
  Files          73       73           
  Lines        9721     9721           
  Branches     2226     2226           
=======================================
  Hits         3791     3791           
  Misses       4878     4878           
  Partials     1052     1052
# [Codecov](https://codecov.io/gh/Plume-org/Plume/pull/767?src=pr&el=h1) Report > Merging [#767](https://codecov.io/gh/Plume-org/Plume/pull/767?src=pr&el=desc) into [master](https://codecov.io/gh/Plume-org/Plume/commit/847d6f7fac57e18b9b3bf7ac0f64bc461883841d&el=desc) will **not change** coverage. > The diff coverage is `n/a`. ```diff @@ Coverage Diff @@ ## master #767 +/- ## ======================================= Coverage 38.99% 38.99% ======================================= Files 73 73 Lines 9721 9721 Branches 2226 2226 ======================================= Hits 3791 3791 Misses 4878 4878 Partials 1052 1052 ```
elegaanz (Migrated from github.com) approved these changes 4 years ago
elegaanz (Migrated from github.com) left a comment

Seems reasonable indeed. 👍

Seems reasonable indeed. :+1:
KitaitiMakoto commented 4 years ago (Migrated from github.com)

Thank you!

Thank you!
kiwii referenced this issue from a commit 4 years ago
Escape expressions in @Html (#767)

Reviewers

elegaanz
The pull request has been merged as dabe904642.
You can also view command line instructions.

Step 1:

From your project repository, check out a new branch and test the changes.
git checkout -b html-escape master
git pull origin html-escape

Step 2:

Merge the changes and update on Forgejo.
git checkout master
git merge --no-ff html-escape
git push origin master
Sign in to join this conversation.
Reviewers
Request review
No reviewers
elegaanz
Labels
Apply labels
Clear labels   
A: API

Related to the REST API   
A: Backend

Code running on the server   
A: Federation

Stuff related to Federation   
A: Front-End

Related to the front-end   
A: I18N

Translations, and related code   
A: Meta

More about project management or code than the project itself   
A: Security
   
Build

The building, or installation process of Plume   
C: Bug

Something isn't working   
C: Discussion

We need to talk   
C: Enhancement

New feature or request   
C: Feature

This is a new feature   
Compatibility

Compatibility with different browsers, readers and OS   
Dependency

Related to an external package that Plume uses   
Design

UI/UX related issues and PRs   
Documentation
   
Good first issue

Good for newcomers   
Help welcome

Extra attention is needed   
Mobile

Issues affecting only mobile UX   
Rendering

How elements're rendered out for the end user   
S: Blocked

Something else needs to be fixed first   
S: Duplicate

This issue or pull request already exists   
S: Incomplete

This PR is not complete yet   
S: Instance specific

Issues concern a limited number of instances   
S: Invalid

This doesn't seem right   
S: Needs Voting/Discussion

Need to be discussed by the community (on Loomio)   
S: Ready for review

This PR is ready to be reviewed   
Suggestion

Proposed ideas worth considering   
S: Voted on Loomio

This is issue has been created after a vote on Loomio   
S: Wontfix

This will not be worked on
No Label
A: API
A: Backend
A: Federation
A: Front-End
A: I18N
A: Meta
A: Security
Build
C: Bug
C: Discussion
C: Enhancement
C: Feature
Compatibility
Dependency
Design
Documentation
Good first issue
Help welcome
Mobile
Rendering
S: Blocked
S: Duplicate
S: Incomplete
S: Instance specific
S: Invalid
S: Needs Voting/Discussion
S: Ready for review
Suggestion
S: Voted on Loomio
S: Wontfix
Milestone
Set milestone
Clear milestone
No items
No Milestone
Assignees
Assign users
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Plume/Plume#767
Write Preview
Loading…
Cancel
Save
There is no content yet.
Delete Branch 'html-escape'

Deleting a branch is permanent. It CANNOT be undone. Continue?

No
Yes