-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sqid-generated links in descriptions broken by escaping #128
Comments
Yes, but escaping works differently for the main description. The problem seems to be that the property's description is escaped twice. |
Why twice? The problematic cases just show the HTML source code, which is what you would get when escaping the SQID-generated markup once. It seems one would merely have to do the escaping before inserting the (safe) markup. |
Yes, it turns out you were right, escaping was applied after inserting the links instead of before. |
The recent XSS fix has broken SQID's ability to add some hyperlinks to descriptions. For example see
https://tools.wmflabs.org/sqid/#/view?id=Q6581097
This shows correct links in the main description below the header, but broken links in the description of "female" on the page. It would be good if this could be fixed or at least disabled to make the markup disappear, but one might also wonder why it works in the main description (are we correctly escaping there after all?).
The text was updated successfully, but these errors were encountered: