As designed Markup in phrases converted to HTML entities

tomdav

tomdav

Active member
Affected version
2.1
For example I tried changing the phrase "Star" to <i class="fal fa-star"></i>. It displays fine initially but when I toggle star/unstar when viewing a conversatoin it converts the font awesome markup to html entities rather than displaying the font awesome icon.

Edit: this is due to function XF.handleSwitchResponse using the jquery .text() method. I modified it to use the .html() method and it works fine now (although I do need to wrap the font awesome markup in span tags which borders on another bug). Is there a reason why it is currently limited to text only?
 
Last edited:
Unfortunately the general case is whenever we've used .text() specifically or otherwise are escaping HTML output, it is deliberate and done for security.

In some cases it may be slightly over-zealous, but we're not necessarily going to implement changes that will potentially introduce XSS vectors unintentionally.
 

Similar threads

Saeed
Fixed Special characters in Board Title get converted to HTML in subject of outbound email
Replies
1
Views
2K
XF Bug Bot
XF Bug Bot
Marcel
XF 2.0 How to strip HTML entities from a variable?
Replies
4
Views
563
Marcel
Marcel
tenants
Duplicate Single quote in content converted to HTML Entity after upload file (Windows)
Replies
2
Views
1K
tenants
tenants
Jon W
Fixed Search warning not appearing correctly for html entities
Replies
1
Views
704
Mike
Mike
Back
Top Bottom