Bug #1684: Escaped HTML entities visible in tags#show

Want to know when it's really "safe" to switch production projects ...

Comments

1. Greg Hurrell 2010-09-09T06:46:42Z

   Kicks in only when tweet is long enough to be truncated.

2. Greg Hurrell 2010-09-09T06:57:39Z

   The bug is happening here:

   def tweet_title tweet
     stripped    = strip_tags tweet.body.w
     compressed  = stripped.gsub /\s+/, ' '
     compressed.strip!
     truncate compressed, :length => 80
   end

   If the body contains quotes (eg. he said "hello") then the wikitext translator will turn the quotes into entities (eg. he said "hello"). At this point the string is marked HTML-safe.

   If the string is shorter than 80 characters, then the truncate method returns it unchanged and it is still marked as HTML-safe, so it appears in the view as-is.

   If, however, the string is longer, then truncate chops it and the result is marked as not HTML-safe, so when it gets rendered in the view, the entities get re-escaped (ie. & becomes &, so our entity is now display as ").

3. Greg Hurrell 2010-09-09T07:03:33Z

   Other places in the code where truncate is used in potentially problematic ways:

   • in dashboard#show we have a truncate strip_tags(comment.body.w), ...

   There are other places where we use truncate in conjunction with wikitext transformation, but usually in an order where this bug won't crop up; eg:

   # here we pipe through the translator only _after_ truncation
   truncate(model.excerpt, :length => 240).w

   Then there are places where we use it without wikitext, and that's harmless too; eg:

   truncate issue.summary, :length => 60

4. Greg Hurrell 2010-09-09T08:47:04Z

   Fixed.

5. Greg Hurrell 2010-09-09T08:47:11Z

   Status changed:

   • From: new
   • To: closed

Add a comment

Comments are now closed for this issue.