Page MenuHomePhabricator
Create Task
Maniphest T333336

Kartographer's marker title tooltips show SGML entities (& < > &#...;)
Open, Needs TriagePublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Use for instance https://en.wikivoyage.org/wiki/El_Gouna
  • Move to "Element Watersports & Beach"
  • Open a map by pressing on the marker "6", move the mouse curser to the map marker. A tooltip occurs

What happens?:

  • Tooltip shows: "Element Watersports & Beach"

What should have happened instead?:

  • Tooltip should show: "Element Watersports & Beach"

Software version (skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):

  • The only SGML entity allowed in HTML title attribute is ". XML entities (&#...;) are not allowed, too.
  • Firefox 111.0.1

title-with-entities.jpg (574×924 px, 18 KB)

  • Low priority

Event Timeline

RolandUnger created this task.Mar 28 2023, 11:38 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 28 2023, 11:38 AM
Aklapper removed a project: WMDE-GeoInfo-FocusArea.Mar 28 2023, 1:45 PM
TheDJ subscribed.Mar 28 2023, 2:03 PM

wgKartographerLiveData shows:

{
    "type": "Feature",
    "geometry": {
        "coordinates": [
            33.659889,
            27.434151
        ],
        "type": "Point"
    },
    "properties": {
        "marker-size": "medium",
        "title": "Element Watersports \u0026amp; Beach",
        "marker-symbol": "6",
        "marker-color": "808080"
    }
},
TheDJ renamed this task from Kartographer's marker tooltips show SGML entities (& < > &#...;) to Kartographer's marker title tooltips show SGML entities (& < > &#...;).Mar 28 2023, 2:04 PM
thiemowmde subscribed.Mar 7 2024, 10:24 AM

Minimal example:

<maplink>
{
  "type": "Feature",
  "geometry": { "coordinates": [ 0, 0 ], "type": "Point" },
  "properties": { "title": "[[File:Profil A.jpg|50px]] & B", "marker-symbol": "water" }
}
</maplink>

Clicking this marker opens a popup with the expected visuals "A & B". But hovering shows a tooltip with "&amp; B". Turns out this is the mapbox-lib stripping all HTML elements from the title="…" attribute, but not properly handling &-escaped characters. Search for strip_tags in mapbox-lib.js to see where this happens. There is also a sanitize call that sounds like it should be responsible for this, but doesn't handle &-escaped characters either, as far as I can tell.

TL;DR: Just a bug in the old version of the mapbox-lib we use?

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits