&
Comment on Hey I'm trying to abbreviate here
WoodenBleachers@lemmy.basedcount.com 1 year ago
Not sure why the devs have so much trouble with parsing this. I’m not sure if it’s an API thing or a front-end issue
db2@sopuli.xyz 1 year ago
Comment on Hey I'm trying to abbreviate here
WoodenBleachers@lemmy.basedcount.com 1 year ago
Not sure why the devs have so much trouble with parsing this. I’m not sure if it’s an API thing or a front-end issue
&
dual_sport_dork@lemmy.world 1 year ago
Something somewhere is running an
htmlspecialchars()
or equivalent on whatever you input, probably as an attempt at “sanitizing” the text entered in titles/posts/comments. You know, to keep me from just inserting into a comment and have it to something naughty to anyone who loads the page.I’m certain these are being stored in the database as an &, but they’re not being decoded back into an ampersand character upon display.
WoodenBleachers@lemmy.basedcount.com 1 year ago
I know, just sanitize it again. .Replace(“&”, &), Regex.Remove(amp;), if(.Contains(“amp;”))
ChaoticNeutralCzech@feddit.de 1 year ago
The same with < and
<
pleaseBlack616Angel@feddit.de 1 year ago
No. This is just escaped html. So you can just unescape it like every other html.
AnotherRyguy@lemmy.world 1 year ago
Please be kidding lol
Agentseed@artemis.camp 1 year ago
would it not be possible for whatever's decoding it to run arbitrary Javascript if done wrong? maybe that's why it doesn't exist yet?
dual_sport_dork@lemmy.world 1 year ago
The decode really, really, really should not be happening client side in Javascript. The backend should handle it before handing the text to the user’s browser. You are correct; If this is done client side it means a bad actor can mess with it and/or include an injection attack of some sort.
Nothing client side should ever handle user input, except perhaps convenience features like flagging incomplete fields or kicking the cursor to the next input element when one is full (e.g. for phone numbers). Anything client side can be fucked with by the client. Validation needs to happen on the server side, before committing the input to the database (or doing whatever it’s going to do with it).
dual_sport_dork@lemmy.world 1 year ago
There are a lot of potential pitfalls any time you accept text input from a user, store it, and regurgitate it back to display on a user’s browser. The thing is, HTML (and all HTML-encapsulated scripting languages) are just text. So regular words and a block of Javascript that makes dancing polka-dotted hippos dance across your screen and incessantly play the Hamster Dance song at 200% volume are, without protections, input and stored exactly the same way. Preventing ne’er-do-wells from doing injection attacks with SQL calls, HTML, control and escape characters, Javascript, etc. is part of a whole industry.
It appears lemmy does filter out raw HTML tags, at least. I tried to insert one in my last comment just for illustration and it was silently removed from the input.
Toes@ani.social 1 year ago
I can’t use <3 in a post title without it getting mangled.
onion@feddit.de 1 year ago
Theres a git issue on this