Question thread #40
It's time for another question thread!
The rules:
- You may ask any dev-related question you have in a comment. (It doesn't even need to be about Dreamwidth, although if it involves a language/library/framework/database Dreamwidth doesn't use, you will probably get answers pointing that out and suggesting a better place to ask.)
- You may also answer any question, using the guidelines given in To Answer, Or Not To Answer and in this comment thread.
The rules:
- You may ask any dev-related question you have in a comment. (It doesn't even need to be about Dreamwidth, although if it involves a language/library/framework/database Dreamwidth doesn't use, you will probably get answers pointing that out and suggesting a better place to ask.)
- You may also answer any question, using the guidelines given in To Answer, Or Not To Answer and in this comment thread.
no subject
no subject
(Also, thanks for opening a ticket on that. I've been going on about escaped HTML in PMs literally since 2010 or so. I never approached Support but I did write an actual rant to
no subject
no subject
LJ::Protocol, beginning line 495, handles sending a message. The subject text is given by
$req->{'subject'}
, checked by LJ::text_in (in LJ::TextUtil), and passed to LJ::Message. $req is what was submitted via the form?LJ::text_in returns LJ::is_utf8($text), which returns LJ::is_utf8_wrapper( $text ), which returns Unicode::CheckUTF8::is_utf8( ''. $text ), to make sure that the text is treated as a string. Fine.
LJ::Message:
Alright, so it's the LJ::ehtml call in row 285 (sub subject). Body text isn't getting similarly overescaped; I think PMs don't display HTML in any case so there's no need for this call to the cleaner, but I don't understand the difference in behaviour between body and subject and I'm a bit nervous about just throwing things out. Which I think means I should cross-check how support requests are handled, because those don't get overescaped but are HTML-stripped.
no subject
The problem is that LJ::ehtml is getting called every time a PM is sent, but if a PM is a reply, it's already been through LJ::ehtml once. So, an & has already been turned into & on the previous pass, and a second pass will see the & in the & and turn it into &. (I think. I am doing this in email and in order to make it render I have to escape it one order higher, heh.)
I think we have a "strip HTML" rather than "escape HTML" function somewhere in there; you can probably replace the call to ehtml with a call to that, but somebody better with security/escaping issues than I am can probably say for sure.
no subject
RIGHT. OF COURSE. Thank you!
... which, I mean, that still leaves me at "I don't adequately understand what's going on here to be confident in any solution", but also means that I think I really can go cross-reference with how the Support Board handles this.
no subject
and ha, I am a master of escaping, that did exactly whta I wanted it to do.
no subject