You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm running the latest version from master, and when I export the HTML of a pad containing full URLs that generated HTML A-tag has also escaped the URL in the href attribute.
This is expected behavior – OWASP recommends this paranoid escaping for untrusted attribute values. If a interpreter is having trouble with it, I’d be curious and would like to hear more. If you’re having trouble parsing it with a RegExp, I’d recommend using an XML parser to get at the data.
Hi all,
I'm running the latest version from master, and when I export the HTML of a pad containing full URLs that generated HTML
A
-tag has also escaped the URL in thehref
attribute.Steps to reproduce:
http://server/eplite/api/1/setText?apikey=secret&padID=test&text=http://example.com
http://server/eplite/api/1/getHTML?apikey=secret&padID=test
You'll get:
Browsing through the EPlite code I can not find any recent changes that introduced this behaviour, but it could be linked to this line: https://github.com/Pita/etherpad-lite/blob/master/src/node/utils/ExportHtml.js#L297
Is this a bug or should I decode the HTML myself?
The text was updated successfully, but these errors were encountered: