Please fix the excessive HTML escaping of posts (lemmy.world)

submitted 1 year ago* (last edited 1 year ago) by AlmightySnoo@lemmy.world to c/lemmy@lemmy.ml

7 comments fedilink hide all child comments

Right now Lemmy is unusable for writing code that contains less than/greater than signs because Lemmy's sanitizer treats that as potentially malicious HTML code.

Here's an example:

if(x &lt; y)
{
/* ... */
}

The listing becomes littered with < gibberish.

you are viewing a single comment's thread
view the rest of the comments

[-] mark@programming.dev 6 points 1 year ago* (last edited 1 year ago)

Yeah I think this was hastily done to prevent the XSS injection attacks that were happening IIRC. They implemented encoding for content, but looks like they never got around to fully decoding it.

Issue could've been avoided by just restricting the encoding to when the user types content in (and before database insertion), and decoding when showing the content in the UI.

this post was submitted on 28 Aug 2023

50 points (100.0% liked)

Lemmy

12546 readers

21 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago

MODERATORS

nutomic@lemmy.ml