-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape Editable HTML #17994
Escape Editable HTML #17994
Conversation
Tested this with the following post in That's actually wrong because I typed "…HTML is Before saving and reloading this was in the text view of the editor.
And this displayed in the page view: On this branch however…
and after save and reload Regardless of the details this seems to address the issue and get us out of a painful place where you can't type what you want. Thanks @ellatrix! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a good fix and covers at least one common case that's frustrating.
@davilera Have you tested this PR? It should fix that too. |
I tested #13218, and this PR fixes it too. Added a test case. |
53f1253
to
03b8212
Compare
Just for extra clarity: this fixes all escaping for all HTML entities in editable text, not just |
Thanks for the review @dmsnell! |
Description
Fixes #16252.
Fixes #13218.
Alternative to #17789.
General problem: currently we only escape "lone" ampersands (
&
=>&
) in editable text. This is a bit strange, since if you create some text, you'd expect e.g.&
to be rendered as such. This is NOT the case.&
needs to be converted to&
in order to be rendered as&
. The same is true for any other HTML entity.Also removes a unnecessary layer of escaping and unescaping from the code block. The attribute source is of the type
text
, which already unescapes entities. In the code block, we only need to make sure the value fromPlainText
is properly escaped for use in normal HTML elements (sincePlainText
is atextarea
and its value is unescaped.How has this been tested?
…
. Preview the post. You should see…
and not…
.…
. Save. Reload the place. The block should be valid.Screenshots
Types of changes
Checklist: