Skip to content

Unify the HTML encoding handling with other ROS apps #13819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MorrisJobke merged 2 commits into from
Feb 7, 2019
Merged

Unify the HTML encoding handling with other ROS apps #13819

MorrisJobke merged 2 commits into from
Feb 7, 2019

Conversation

@nickvergessen
Copy link
Member

@nickvergessen nickvergessen commented Jan 25, 2019
edited
Loading

While looking into nextcloud/android#3487 I noticed, that the apps which use the most famous RichObjectStrings (Activity and Notifications) have an inconsistent handling in terms of HTML encoding. Or to phrase it better, neither cared and it worked for most, because the providing app happened to escape the HTML (sometimes).

So now we simply define, that ROS should not be HTML escaped, similar to their plain-text variants. Instead the viewing part is responsible to escape the HTML properly, which was provided before the ROS rendering happens.

⚠️ The rendering PRs below need to be merged/backported before, otherwise we create a stored XSS in the comments app. ⚠️

I checked all apps, and I only could find HTML handling in comments (for activities only, notifications are fine) and announcementcenter (both fixed for upcoming)

Client devs please confirm that this works as intended on your side then:

You can test this, by mentioning your user @test1 in a comment:

@test1 <strong>this should not be bold</strong>
This is on a new line

<em>And this is two lines away and NOT italic</em>

@nickvergessen
Unify the HTML encoding handling with other ROS apps
5879920 
Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen
Update documentation of setParsed* and setRich*
47f63da 
Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen nickvergessen added this to the Nextcloud 16 milestone Jan 25, 2019
@nickvergessen nickvergessen mentioned this pull request Jan 25, 2019
Closed
This was referenced Jan 25, 2019
Merged
Merged
@tobiasKaminsky
Copy link
Member

tobiasKaminsky commented Jan 28, 2019

As mentioned on IRC, this is working on Android.
But as soon as I enable this PR, I do get html tags parsed after a refresh of the web site:

  • open details on any file
  • enter a comment with html tag
  • see that they are not parsed
  • refresh site
  • see html tags parsed, e.g. text is bold

@nickvergessen
Copy link
Member Author

nickvergessen commented Jan 28, 2019

Which is expected as per the bold warning in the PR description

@tobiasKaminsky
Copy link
Member

tobiasKaminsky commented Jan 28, 2019

Hm. I assumed that if I enable all three PRs, that then everything would work…
Then sorry for the noise ;-)

@marinofaggiana
Copy link
Member

marinofaggiana commented Jan 28, 2019

Sure, no problem !

@rullzer
Copy link
Member

rullzer commented Jan 30, 2019

@nickvergessen so since we only have notifications on the client. We'd need to validate that we escape the html right?

@nickvergessen
Copy link
Member Author

nickvergessen commented Jan 30, 2019

@rullzer yeah basically make sure all HTML is shown as plain text <strong>.
Markup should only be done via the Rich message stuff.

@rullzer
Copy link
Member

rullzer commented Jan 30, 2019

I'll try to verify this evening then

@rullzer
Copy link
Member

rullzer commented Feb 1, 2019

ros

Properly escaped on desktop.,

@MorrisJobke MorrisJobke merged commit 668b706 into master Feb 7, 2019
@MorrisJobke MorrisJobke deleted the bugfix/noid/unify-html-encoding-handling-with-other-ros-apps branch February 7, 2019 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rullzer rullzer rullzer approved these changes

@MorrisJobke MorrisJobke MorrisJobke approved these changes

Assignees

No one assigned

Labels

3. to review Waiting for reviews bug client: 💻 desktop client: 🤖🍏 mobile feature: activity and notification technical debt

Projects

None yet

Milestone

Nextcloud 16

Development

Successfully merging this pull request may close these issues.

6 participants

@nickvergessen @tobiasKaminsky @marinofaggiana @rullzer @MorrisJobke