Page MenuHomePhabricator
Create Task
Maniphest T95040

HTML entities in CommentNode must be manually escaped/unescaped
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

In order to allow "bad" sequences like "-->" in comment data, the contents of a CommentNode should have HTML entities unescaped for display, and then escaped before serialization.

See T95039 for more details and context.

Concretely, a wikitext comment like:

<!-- hello & --&lt; bad contents, dude! -->

will be represented by Parsoid in its DOM as:

<!-- hello &amp; &#45;&#45;&lt; bad contents, dude! -->

But the DOM CommentNode#data property gives the raw DOMString. The HTML entities need to be manually unescaped before displaying the comment contents to the user, and then the characters -, >, and & must be entity-escaped before giving any edited comment contents to document.createComment.

(Note that - is usually considered an HTML-safe character, and may not be escaped by a standard minimal entity encoder.)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Encode as few characters in comments as possibleVisualEditor/VisualEditormaster+11 -10
Encode and decode HTML entities in comment nodesVisualEditor/VisualEditormaster+39 -5
Customize query in gerrit

Related Objects

Event Timeline

cscott created this task.Apr 3 2015, 7:04 PM
cscott assigned this task to Esanders.
cscott raised the priority of this task from to Medium.
cscott updated the task description. (Show Details)
cscott added a project: VisualEditor.
cscott added subscribers: Arlolra, cscott, Aklapper, Catrope.
cscott updated the task description. (Show Details)Apr 3 2015, 7:07 PM
cscott set Security to None.
cscott added a comment.Apr 6 2015, 6:30 PM

Once T95039 is merged, - will start appearing as &#x2D; in comments until VisualEditor is updated. > and & as well, but they are perhaps less common.

ssastry added projects: StructuredDiscussions, ContentTranslation.Apr 6 2015, 8:04 PM
Restricted Application added a project: Collaboration-Team-Triage. · View Herald TranscriptApr 6 2015, 8:04 PM
cscott raised the priority of this task from Medium to High.Apr 6 2015, 8:17 PM
cscott added subscribers: Nikerabbit, santhosh.

Raised priority because of user-visible entity escaping which would be visible once T95039 lands.

@Catrope, @Esanders, do we need to hold off deploying T95039 until this task is complete in VE?

@Nikerabbit, @santhosh: This change affects you as well, if you care about what comments look like.

ssastry added subscribers: EBernhardson, Mattflaschen-WMF, ssastry.Apr 6 2015, 8:23 PM

And, @Mattflaschen and @EBernhardson as well.

Mattflaschen-WMF added a comment.Apr 6 2015, 8:30 PM

We should be covered by the VE fix. I don't think we handle or display comments anywhere else in Flow.

EBernhardson moved this task from Untriaged to Ready for next sprint on the Collaboration-Team-Triage board.Apr 6 2015, 8:31 PM
Catrope added a comment.Apr 6 2015, 8:41 PM
In T95040#1183297, @cscott wrote:

Raised priority because of user-visible entity escaping which would be visible once T95039 lands.

@Catrope, @Esanders, do we need to hold off deploying T95039 until this task is complete in VE?

Yes.

gerritbot subscribed.Apr 7 2015, 2:19 AM

Change 202311 had a related patch set uploaded (by Cscott):
Encode and decode HTML entities in comment nodes

https://gerrit.wikimedia.org/r/202311

gerritbot added a project: Patch-For-Review.Apr 7 2015, 2:19 AM
santhosh added a comment.Apr 7 2015, 8:50 AM
In T95040#1183297, @cscott wrote:

@Nikerabbit, @santhosh: This change affects you as well, if you care about what comments look like.

We do not care about comments as of now.

Jdforrester-WMF moved this task from To Triage to External and Administrivia on the VisualEditor board.Apr 7 2015, 4:18 PM
gerritbot added a comment.Apr 7 2015, 9:35 PM

Change 202311 merged by jenkins-bot:
Encode and decode HTML entities in comment nodes

https://gerrit.wikimedia.org/r/202311

Catrope mentioned this in rGVED11710e9a81a6: Encode and decode HTML entities in comment nodes.Apr 7 2015, 9:35 PM
Jdforrester-WMF renamed this task from HTML entities in CommentNode must be manually escaped/unescaped. to HTML entities in CommentNode must be manually escaped/unescaped.Apr 8 2015, 7:39 AM
Jdforrester-WMF closed this task as Resolved.
Jdforrester-WMF added projects: WMF-deploy-2015-04-08_(1.26wmf1), VisualEditor 2014/15 Q4 blockers.
Jdforrester-WMF edited a custom field.
Jdforrester-WMF moved this task from Nominated to Done on the VisualEditor 2014/15 Q4 blockers board.
Jdforrester-WMF moved this task from External and Administrivia to FY 18-19 Q3/Q4 on the VisualEditor board.Apr 8 2015, 10:49 AM
Esanders added a comment.Apr 8 2015, 11:40 AM

@cscott you mention that <!-- foo -- bar --> is invalid XML (which is annoying, but I believe you), but is <!-- foo - bar --> invalid? If single hyphens are allowed then we should allow them too as they are going to be far more common than the double hyphen and as the comment is going to be read in source mode as well we should avoid escaping where possible.

gerritbot added a comment.Apr 8 2015, 11:58 AM

Change 202711 had a related patch set uploaded (by Esanders):
Don't encoding single hyphens in comments, just doubles

https://gerrit.wikimedia.org/r/202711

Esanders added a comment.Apr 8 2015, 11:59 AM

From what I can see single hyphens are valid so I have provided the above fix.

DannyH moved this task from Ready for next sprint to Resolved on the Collaboration-Team-Triage board.Apr 8 2015, 4:51 PM
Jdforrester-WMF removed a project: Patch-For-Review.Apr 8 2015, 7:05 PM
gerritbot added a comment.Apr 8 2015, 7:42 PM

Change 202711 merged by jenkins-bot:
Encode as few characters in comments as possible

https://gerrit.wikimedia.org/r/202711

Catrope mentioned this in rGVED48f71d121b3f: Encode as few characters in comments as possible.Apr 8 2015, 7:42 PM
cscott added a comment.Apr 8 2015, 8:42 PM

T95039 is now deployed in Parsoid.

If a few encoded characters in comments sufficiently annoy your users, you might cherry-pick https://gerrit.wikimedia.org/r/202311 for earlier deploy.

https://gerrit.wikimedia.org/r/202711 isn't worth cherry-picking, it is only relevant for standalone VE.

Esanders mentioned this in T110910: Implement <gallery> extension natively inside Parsoid.Feb 5 2016, 7:46 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits