Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API method getHTML escapes URLs inside <a href="..."> attribute #814

Closed
timtebeek opened this issue Jun 25, 2012 · 2 comments
Closed

API method getHTML escapes URLs inside <a href="..."> attribute #814

timtebeek opened this issue Jun 25, 2012 · 2 comments
Labels

Comments

@timtebeek
Copy link

Hi all,

I'm running the latest version from master, and when I export the HTML of a pad containing full URLs that generated HTML A-tag has also escaped the URL in the href attribute.

Steps to reproduce:

  1. Create a pad call test with contents: http://example.com
    http://server/eplite/api/1/setText?apikey=secret&padID=test&text=http://example.com
  2. Retrieve the HTML content:
    http://server/eplite/api/1/getHTML?apikey=secret&padID=test

You'll get:

{"code":0,"message":"ok","data":{"html":"<a href=\"http&#x3a;&#x2f;&#x2f;example&#x2e;com\">http:&#x2F;&#x2F;example.com</a><br>"}}

Browsing through the EPlite code I can not find any recent changes that introduced this behaviour, but it could be linked to this line: https://github.com/Pita/etherpad-lite/blob/master/src/node/utils/ExportHtml.js#L297

Is this a bug or should I decode the HTML myself?

@marcelklehr
Copy link
Contributor

I believe this is a bug.

@cweider
Copy link
Contributor

cweider commented Jul 23, 2012

This is expected behavior – OWASP recommends this paranoid escaping for untrusted attribute values. If a interpreter is having trouble with it, I’d be curious and would like to hear more. If you’re having trouble parsing it with a RegExp, I’d recommend using an XML parser to get at the data.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants