Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(Fix) Remove htmlspecialchars from comment quote function #4435

Open
wants to merge 3 commits into
base: 8.x.x
Choose a base branch
from
Open

(Fix) Remove htmlspecialchars from comment quote function #4435

wants to merge 3 commits into from

Conversation

AnabolicsAnonymous
Copy link
Contributor

When replying to a message that has any special characters like quotes or ampersands it would html encode them in plain text, this removes that operation to make it work properly.

Roardom
Roardom suggested changes Jan 19, 2025
View reviewed changes
Copy link
Contributor

@Roardom Roardom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should use the logic that's already used for forum posts:

UNIT3D-Community-Edition/resources/views/components/forum/post.blade.php

Lines 109 to 126 in c64275f

x-on:click="
document.getElementById('forum_reply_form').style.display = 'block';
input = document.getElementById('bbcode-content');
input.value += '[quote={{ \htmlspecialchars('@' . $post->user->username) }}]';
input.value += (() => {
var text = document.createElement('textarea');
text.innerHTML = decodeURIComponent(
atob($refs.content.dataset.base64Bbcode)
.split('')
.map((c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2))
.join('')
);
return text.value;
})();
input.value += '[/quote]';
input.dispatchEvent(new Event('input'));
input.focus();
"

I figured there was a high chance something would break when modifying #4424

@AnabolicsAnonymous
Copy link
Contributor Author

We should use the logic that's already used for forum posts:

UNIT3D-Community-Edition/resources/views/components/forum/post.blade.php

Lines 109 to 126 in c64275f

x-on:click="
document.getElementById('forum_reply_form').style.display = 'block';
input = document.getElementById('bbcode-content');
input.value += '[quote={{ \htmlspecialchars('@' . $post->user->username) }}]';
input.value += (() => {
var text = document.createElement('textarea');
text.innerHTML = decodeURIComponent(
atob($refs.content.dataset.base64Bbcode)
.split('')
.map((c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2))
.join('')
);
return text.value;
})();
input.value += '[/quote]';
input.dispatchEvent(new Event('input'));
input.focus();
"

I figured there was a high chance something would break when modifying #4424

Assumed that's what he would've used, what exactly would we be taking out of this function that isn't already here though?

@Roardom
Copy link
Contributor

Roardom commented Jan 19, 2025

We should use the logic that's already used for forum posts:

UNIT3D-Community-Edition/resources/views/components/forum/post.blade.php

Lines 109 to 126 in c64275f

x-on:click="
document.getElementById('forum_reply_form').style.display = 'block';
input = document.getElementById('bbcode-content');
input.value += '[quote={{ \htmlspecialchars('@' . $post->user->username) }}]';
input.value += (() => {
var text = document.createElement('textarea');
text.innerHTML = decodeURIComponent(
atob($refs.content.dataset.base64Bbcode)
.split('')
.map((c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2))
.join('')
);
return text.value;
})();
input.value += '[/quote]';
input.dispatchEvent(new Event('input'));
input.focus();
"

I figured there was a high chance something would break when modifying #4424

Assumed that's what he would've used, what exactly would we be taking out of this function that isn't already here though?

Okay now you've made me unsure of the way to go about this properly :) (I'm not a js person). I've fixed issues similar to this in the past such as #2933 and #3165. Also this commit 6bd691c where it was undone looks like it was quite intentional for it to be added.

But looking into this further and it seems that the solution implemented in #4424 is deprecated in js, but it still works, and it bypasses the need for the alternative I used in the previous solutions of creating a textarea, putting the text in, and it solving the decoding aspect on its own. So in that sense, it'd be a good idea to change the other 2 locations where this is used (resources/views/components/forum/post.blade.php, and resources/views/torrent/partials/description.blade.php) to match what you've implemented here, alongside the escape changes. Would you be willing to do that?

(fwiw, the root problem surrounding all these issues is that atob returns bytes in js, but js strings use utf-16)

@HDVinnie HDVinnie changed the title fix: remove htmlspecialchars from comment quote function (Fix) Remove htmlspecialchars from comment quote function Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Roardom Roardom Roardom requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AnabolicsAnonymous @Roardom