HTML entities stripped from item title #243
Assignees
Labels
Comments
|
@autonome Thanks for opening this issue. This stripping is being done intentionally -- however, I can't actually remember why. 😬 Presumably, the idea was to avoid handing people a XSS injection foot-gun. Note that the un-stripped title is available: |
|
Thanks for the quick reply Dan! Great to know there's a workaround :D
Totally understand the footgun concern. Difficult trade-off against
correctness though. I'm not sure the trade-off is worth it, as the content
is already escaped.
IIUC, the XSS risk would not occur by printing this content directly to a
screen. The risk would occur only if someone first unescapes the content
and then prints it.
…On Thu, Nov 23, 2017 at 9:25 AM Dan MacTough ***@***.***> wrote:
@autonome <https://github.com/autonome> Thanks for opening this issue.
This stripping is being done intentionally
<de3566b>
-- however, I can't actually remember why. 😬 Presumably, the idea was to
avoid handing people a XSS injection foot-gun.
Note that the un-stripped title is available: item['rss:title']['#'].
{ title: 'Intent to unship: as in image maps',
description: 'Hi, In bug 1317937 I intend to unship the feature of <a> elements acting the same way as <area> elements in image maps. This functionality was specced in HTML 4, but no other browser implemented it and was removed from HTML 5. Timothy (:tnikkel) tried to do it before, but it got blocked on',
summary: 'Hi, In bug 1317937 I intend to unship the feature of <a> elements acting the same way as <area> elements in image maps. This functionality was specced in HTML 4, but no other browser implemented it and was removed from HTML 5. Timothy (:tnikkel) tried to do it before, but it got blocked on',
date: 2017-11-08T23:50:27.000Z,
pubdate: 2017-11-08T23:50:27.000Z,
pubDate: 2017-11-08T23:50:27.000Z,
link: 'https://groups.google.com/d/msg/mozilla.dev.platform/JUB5K-sz6ek/F4hQWdDRBQAJ',
guid: 'https://groups.google.com/d/topic/mozilla.dev.platform/JUB5K-sz6ek',
author: 'Emilio Cobos Álvarez',
comments: null,
origlink: null,
image: {},
source: {},
categories: [],
enclosures: [],
'rss:@': {},
'rss:title':
{ '@': {},
'#': 'Intent to unship: <a> as <area> in image maps' },
'rss:link':
{ '@': {},
'#': 'https://groups.google.com/d/msg/mozilla.dev.platform/JUB5K-sz6ek/F4hQWdDRBQAJ' },
'rss:description':
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#243 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AADDt5olTZ8ZVmD1_wMiya2EhUJYpAmtks5s5NebgaJpZM4QnMJP>
.
|
|
related to #165 |
|
Wonderful, thanks @danmactough! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Eg: ">"
I'm parsing https://groups.google.com/forum/feed/mozilla.dev.platform/topics/rss.xml?num=50
The item titled "Intent to unship: as in image maps" has those entities encoded as < and > respectively.
However, in the code example below, the entities are missing from item.title, as is detectable from the length:
let url = 'https://groups.google.com/forum/feed/mozilla.dev.platform/topics/rss.xml?num=50';
let req = request(url);
let feedparser = new FeedParser();
req.on('response', function (res) {
this.pipe(feedparser);
});
feedparser.on('readable', function() {
let item = this.read();
console.log(item.title.length)
}
The text was updated successfully, but these errors were encountered: