As designed Probably "As Designed": Not 'escaping' HTML in custom field descriptions?

[frm]

Affected version

2.1.2

It took me a while (a while too long) to realize that I had <title> in a custom field description on an addon that broke the template; however, it behaves the exact way XF does with custom field descriptions too.

If I add certain HTML to descriptions, such as <title> as it was somewhat "necessary" to have as a description in the addon as a note to self, the template would fail to load, as it does in custom thread fields too. (I probably would've noticed this much much sooner had the HTML been <b> instead).

I'm pretty sure that this is "as designed" so that people can notate things with bold, italics, etc., but, shouldn't HTML be escaped (or converted to < and > rather) and possibly BB Code used for that instead? Just my opinion...

 

[Chris D]

I'm pretty sure that this is "as designed" so that people can notate things with bold, italics, etc., but, shouldn't HTML be escaped (or converted to < and > rather) and possibly BB Code used for that instead? Just my opinion...

Well, you've sort of answered it yourself. It's as designed so that people can add their own markup to the description, including links or basic formatting. Because that is the design, we obviously can't then escape HTML in there with &lt/&gt because that would prevent HTML being used at all. BB code is entirely for end users and allowing the use of advanced formatting without worrying about the dangers of HTML, and isn't particularly designed for admins - there are various places admins can use HTML directly because they are trusted users.

For this particular case if you need to render the text <title> and not render it as HTML then you yourself would have to take care of the escaping.

 

[frm]

For this particular case if you need to render the text <title> and not render it as HTML then you yourself would have to take care of the escaping.

It probably would've taken me much longer to troubleshoot and this might just be an outlier case, but wouldn't a description below the "description" textbox of something like "Note: HTML is allowed" be better for a future scenario?

Seems like something so small that was overlooked, but, the troubleshooting incurred could save someone a couple of minutes (if they put in a bold tag) to hours (if they end the description in a title tag, perhaps).

Example: