Sanitization issues in custom HTML infowindows

[iriberri]

Hey, people have reported a couple of issues these days when they use code inside their custom infowindows:

• IMG tags which contain URL with & characters are broken due to escaping
• target="_blank" tags have stopped working too

[javisantana]

@viddo is there a reason to now allow target and img tags with &?

[viddo]

• All attributes are escaped by default, but a browser should be capable of handling that. I've been fiddling around in local dev env and have not been able to break it. Can you give some example of an img URL, @iriberri ?
• The target attribute is disallowed by default, but I can't find any good motivation for why that is. I can change the policy to allow it.

[iriberri]

Sure, I won't share them publicly but: SB/4981277 -- they can be found in the first message.

[iriberri]

Example (target blank): https://team.cartodb.com/u/iriberri/viz/bb8a2cb4-dc52-11e4-bdcc-0e4fddd5de28/map

[iriberri]

http://gis.stackexchange.com/questions/141473/links-will-not-open-to-new-window-cartodb

[viddo]

The target issue will be solved here, CartoDB/carto.js#428 I'll reply to that thread on stackexchange, thx!

Re: the img isssue far it seem to be an issue on embeds only for some reason, still investigating...

[viddo]

The img-issue is due to the Mustache's escaping, using the unescaped output (triple angle brackets, i.e. <img src={{{ img_url }}} ...) makes the image to be rendered as expected. Custom templates are filtered through the sanitize step anyways so it's safe to do. No code change is necessary.

[iriberri]

Extra info about '&' escaping in URLs, they get converted to:

[iriberri]

Great, I'll let the users know. Thanks!