HTML attribute values are double escaped in markdown #19860
Labels
Comments
6543
pushed a commit
that referenced
this issue
Jul 1, 2022
The current version of bluemonday is double escaping attributes. This PR updates bluemonday to the version that fixes this. (See: microcosm-cc/bluemonday#143 ) Fix #19860 Signed-off-by: Andrew Thornton art27@cantab.net
zeripath
added a commit
to zeripath/gitea
that referenced
this issue
Jul 3, 2022
Backport go-gitea#20199 The current version of bluemonday is double escaping attributes. This PR updates bluemonday to the version that fixes this. (See: microcosm-cc/bluemonday#143 ) Fix go-gitea#19860 Signed-off-by: Andrew Thornton art27@cantab.net
vsysoev
pushed a commit
to IntegraSDL/gitea
that referenced
this issue
Aug 10, 2022
The current version of bluemonday is double escaping attributes. This PR updates bluemonday to the version that fixes this. (See: microcosm-cc/bluemonday#143 ) Fix go-gitea#19860 Signed-off-by: Andrew Thornton art27@cantab.net
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
I expect to be able to use the double-quote character, for example, in HTML attributes by escaping it using an entity reference. However, the sanitizer double escapes entity references.
For example:
I expect to see double-quotes in the tooltip. Instead, I see
".I reported this on the bluemonday repo, but I see no activity there, so I figured I'd bring it up here so that everyone is aware.
Relevant bluemonday issue: microcosm-cc/bluemonday#143
Reproduced here: https://try.gitea.io/developers/foobar/pulls/1#issuecomment-116871
Gitea Version
1.16.8
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
Docker, but also try.gitea.io.
Database
PostgreSQL
The text was updated successfully, but these errors were encountered: