As designed Probably "As Designed": Not 'escaping' HTML in custom field descriptions?

frm

frm

Well-known member
Affected version
2.1.2
It took me a while (a while too long) to realize that I had <title> in a custom field description on an addon that broke the template; however, it behaves the exact way XF does with custom field descriptions too.

If I add certain HTML to descriptions, such as <title> as it was somewhat "necessary" to have as a description in the addon as a note to self, the template would fail to load, as it does in custom thread fields too. (I probably would've noticed this much much sooner had the HTML been <b> instead).

I'm pretty sure that this is "as designed" so that people can notate things with bold, italics, etc., but, shouldn't HTML be escaped (or converted to &lt; and &gt; rather) and possibly BB Code used for that instead? Just my opinion...
 
frm said:
I'm pretty sure that this is "as designed" so that people can notate things with bold, italics, etc., but, shouldn't HTML be escaped (or converted to &lt; and &gt; rather) and possibly BB Code used for that instead? Just my opinion...
Click to expand...
Well, you've sort of answered it yourself. It's as designed so that people can add their own markup to the description, including links or basic formatting. Because that is the design, we obviously can't then escape HTML in there with &lt/&gt because that would prevent HTML being used at all. BB code is entirely for end users and allowing the use of advanced formatting without worrying about the dangers of HTML, and isn't particularly designed for admins - there are various places admins can use HTML directly because they are trusted users.

For this particular case if you need to render the text <title> and not render it as HTML then you yourself would have to take care of the escaping.
 
Chris D said:
For this particular case if you need to render the text <title> and not render it as HTML then you yourself would have to take care of the escaping.
Click to expand...
It probably would've taken me much longer to troubleshoot and this might just be an outlier case, but wouldn't a description below the "description" textbox of something like "Note: HTML is allowed" be better for a future scenario?

Seems like something so small that was overlooked, but, the troubleshooting incurred could save someone a couple of minutes (if they put in a bold tag) to hours (if they end the description in a title tag, perhaps).

Example:
1566926504392.webp
 

Similar threads

Bread
  • Suggestion Suggestion
Lack of interest Allow HTML in Custom Thread Field Descriptions
Replies
1
Views
911
Ozzy47
Ozzy47
abdfahim
  • Question Question
XF 1.5 Add HTML/BB Code in custom user field description
Replies
1
Views
501
Paul B
Paul B
Top Bottom