Skip to content
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.

Railsport adds escaped HTML to Atom output #2264

Closed
openstreetmap-trac opened this issue Jul 23, 2021 · 3 comments
Closed

Railsport adds escaped HTML to Atom output #2264

openstreetmap-trac opened this issue Jul 23, 2021 · 3 comments

Comments

@openstreetmap-trac
Copy link

Reporter: avarab[at]gmail.com
[Submitted to the original trac issue database at 9.24am, Saturday, 5th September 2009]

A changeset contains a URL the URL-linkifier will clash with the escape routine for the Atom output and the Atom feed will contain escaped HTML for the URL, e.g.:/browse/changeset/2380396

<td>ref = &lt;a href="http://trac.openstreetmap.org/ticket/2173#comment:1"&gt;http://trac.openstreetmap.org/ticket/2173#comment:1&lt;/a&gt;</td>

[http://www.openstreetmap.org/browse/changeset/2380396 This] is the changeset that produced it.

@openstreetmap-trac
Copy link
Author

Author: avarab[at]gmail.com
[Added to the original trac issue at 8.49pm, Monday, 14th September 2009]

The problem is that the XML builder list.atom.builder is using is escaping the HTML.

However the content can't be made to be un-escaped either. The reason is that Rails' own sanitize function doesn't do a good job of cleaning out HTML. If someone puts an unclosed HTML tag in a changeset, e.g.:

comment = <b>Unclosed

That will break the Atom feed for all XML parsers.

There's better sanitizer available on rubygems (source) which is whitelist based.

Attached is a patch that uses it. The patch is craptastic because I don't know how to add a utility function to the application so that it'll be seen by the template code. But it's a proof of concept.

With it HTML/XML output will be safe everywhere.

The downside is that if someone literally inserts e.g. "" into a changeset tag that'll be rendered as "". I.e. stripped away.

I haven't found out how to make the sanitizer accept links but escape everything else.

@openstreetmap-trac
Copy link
Author

Author: avarab[at]gmail.com
[Added to the original trac issue at 9.09pm, Monday, 14th September 2009]

Anyway until links can safely be included in our Atom feeds without a stray HTML element blowing the whole feed I've removed the autolinking. See [17621].

@openstreetmap-trac
Copy link
Author

Author: tomhughes
[Added to the original trac issue at 11.17pm, Monday, 14th September 2009]

(In [17626]) Output tags to the feed as raw HTML so that links are not escaped (any
real HTML in the tag has already been escaped). Closes #2264.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant