Use HTML inside comment

[SoaresMG]

Is there any way to use HTML inside the comment?

To do this i changed the following line:
1593: content.html(this.linkify(this.escape(commentModel.content)));

to
1593: content.html(this.linkify(commentModel.content));

[jjtykkyl]

The content of the comment is escaped on purpose. If you insert the content into DOM without escaping it, malicious users may inject javascript to the site. For example, if you post a comment

 "<script>alert('Hi there!')</script>"

and insert it to DOM straight up, all the users be prompted with "Hi there!".

[SoaresMG]

Yes i thought about that.
But should we stop a feature for such triviality? If so, what's the solution? Should i perform a server-side validation?

[jjtykkyl]

The issue is not that trivial you may think, please check out the list of possible vulnerabilities at: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet. There's a good reason why Facebook, Google and even Github won't support pure html comments, if you wish to implement something like this, I recommend using a Markdown approach like it's implemented here in Github

[SoaresMG]

Ok i see.
However, there isn't any possible way to change server-side data. These are client-to-client actions.

I know it's bad anyway, but i'm using it on a intranet portal, no one inside a single company wants to inject some JS in a comment. If he wants to do it, he will suffer some consequences because i use comment history.

In the future i will implement that markdown approach.
Thank you, that's the right solution.

[sarvap-praharanayuthan]

I feel same as you LESARQ. Instead of force escaping the comment, it might be given as an option such as escapeContent: true with a warning.