Fix search result descriptions are double-escaped #1252
Conversation
|
🚀 Preview for commit 26adabc can be found at https://web-php-pr-1252.preview.thephp.foundation |
|
🚀 Regression report for commit 26adabc is at https://web-php-regression-report-pr-1252.preview.thephp.foundation |
|
Returned escaped HTML in the JSON is quite uncommon though. It is generally recommended to perform the escaping at the point of displaying. Maybe the JSON should be changed instead. |
Agreed. A simple solution would be to decode the HTML entities before escaping. This prevents double escaping while still protecting against XSS: const decodeHtmlEntities = (str) => {
const textarea = document.createElement('textarea');
textarea.innerHTML = str;
return textarea.value;
};- ${escape(description)}
+ ${escape(decodeHtmlEntities(description))}
See this demo and this answer. |
To me, a better solution is to remove the escaping performed when generating the Json response. |
Since we are using the json format, if the string contains <refname>ssh2_auth_none</refname>
<refpurpose>Authenticate as "none"</refpurpose> |
|
@sy-records The JSON format does not require applying HTML escaping in its values. |
|
Yes, but no HTML will appear in the current scene. |
|
I think @stof meant that HTML entities are not needed for escaping quotes just for JSON transport. We can use standard JSON escaping {
"example": "Authenticate as \"none\""
}PHP |
| @@ -59,7 +59,7 @@ | |||
|
|
|||
| foreach ($js as $k => $item) { | |||
| if ($item && isset($index[$k])) { | |||
| $index[$k][1] = $item; | |||
| $index[$k][1] = html_entity_decode($item); | |||
There was a problem hiding this comment.
Why do we need to decode it here ? Shouldn't the code generating search-description.json be updated instead ?
Fix #1239
The data is already escaped.