Opened 12 months ago
Closed 11 months ago
#4572 closed Defect (fixed)
Htmlspecialchars in full view blog title
| Reported by: | coldtrick | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Elgg 1.8.6 |
| Component: | Blog | Version: | 1.8.5 |
| Severity: | minor | Keywords: | |
| Cc: | brett@… | Difficulty: | trivial |
Description
The full view of a blog returns a title which is htmlspecialcharred. This results in the following issue:
Blog with title Q & A results in full view as Q & A
Is the htmlspecialchar required there?
Fix could be to drop the htmlspecialchars in the following file:
mod/blog/lib/blog.php line 29
Change History (4)
comment:1 Changed 12 months ago by coldtrick
comment:2 Changed 12 months ago by cash
Elgg has a systematic problem of encoding submitted content and storing it encoded in the database and then double encoding it for display. A lot of this is due to the htmlawed plugin. I think this is likely the case for this one (the encoding should not be happening on the submission but should on the display).
There is a ticket for this problem. Don't recall the ticket number, but it is an early one.
comment:3 Changed 11 months ago by ewinslow
- Milestone changed from Needs Review to Elgg 1.8.6
Cash is right about this being a systemic problem, but I think the fix provided is correct whichever way we land on that issue. Escaping should be happening at the template level, not the page handler level.
comment:4 Changed 11 months ago by cash
- Component changed from Core to Blog
- Difficulty set to trivial
- Resolution set to fixed
- Status changed from new to closed
patch supplied in https://github.com/Elgg/Elgg/pull/268