Potentially unexpected behavior from "HTML escaped" characters

[Xortrox]

I could be missing something, or an option somewhere that allows me to specify the behavior, but I noticed that for instance < and > gets treated as actual < and > when passed into the [content] input:

This behavior is unexpected because it would allow a user to manually send in our tag in chat, despite this being HTML-escaped server side

[Xortrox]

After posting this I realized there exists a global option called "convertHTMLEntities" but even with this turned off, the problem persists.

[Xortrox]

This shows how we implement our module in all cases^

And this would be our global options object:

[Xortrox]

Our element was potentially overriding the global options^ investigating

[Xortrox]

Yes, nevermind then, this was why the option did not work, and it now works as expected:

I still think that this being the default behavior is unexpected?

To explain further, in our game, [player:123] will create while we normally wouldn't allow a player to manually send that raw angular element, but when HTML escaped entities are treated as their original character, this is reverted and the user can technically inject specific angular components, albeit relatively harmless.

[MTobisch]

I'm sorry this has caused some confusion for you.

Honestly, I added the conversion of HTML chars by default as a sort of convenience feature for certain scenarios, such as for example using your Angular hooks in a WYSIWYG editor that might escape the input before saving it in a database. I didn't want devs to deal with also finding a good way to convert HTML entities in addition to understanding my library. Its a minor nuisance. This way, it simply works out of the box in more use cases.

I left it as the default option because I figured unintentional escaping might be more common than intentional escaping (as with your game). But yeah, its hard to make that call.

[Xortrox]

Very understandable, could it be an idea to address this specific special case in the documentation to some extent? It's one of those things a few developers might miss or not think about, causing unintended behavior in my experience, generally speaking for HTML escaping that is.

[MTobisch]

You may be right. I've added a paragraph addressing the issue in the troubleshooting FAQ in the documentation.