Wedge

Public area => Bug reports => The Pub => Archived fixes => Topic started by: Anthony` on November 4th, 2012, 09:16 PM

Title: Minor Quick Edit Bug
Post by: Anthony` on November 4th, 2012, 09:16 PM

It seems when I try to quick edit a post with double quotes (") in it, the Javascript has an issue with the quote(s) and instead replaces the entire title textbox with a slash (\). Possible escape issue? Every other special character on my keyboard works fine.

I made a test topic for this here,
http://wedge.org/pub/test/7658/hello-world/msg282990/#msg282990
Just click on the quick edit icon and look at the title's textbox.

Title: Re: Minor Quick Edit Bug
Post by: Arantor on November 5th, 2012, 01:36 AM

Oh yay. I know exactly why this happened >_< Thanks for reporting, we'll get on it shortly.

Posted: November 4th, 2012, 09:18 PM

It is exactly as per http://wedge.org/pub/test/7658/hello-world/

Title: Re: Minor Quick Edit Bug
Post by: Arantor on February 20th, 2013, 05:59 AM

And this is actually still broken :/ Quick edit never got fixed, it seems.

The cause of this is in the way the content is converted by:

Code: [Select]

oCurSubjectDiv = $('#msg' + sCurMessageId + ' h5');
sSubjectBuffer = oCurSubjectDiv.html();

If the subject is entity escaped, there's no problem, it absolutely works as expected.

/meis sorely tempted to just forcibly encode everything back with ENT_QUOTES how it used to be because nothing broke when that happened, there were no strange necessities of workarounds or anything like we have now, fixing every edge case when it appears.
I won't do it tomorrow, I'm out most of tomorrow but on Thursday I'm advising now that I'm going to do it and frankly I don't care about the extra bytes (most of which will be gzipped out anyway, or if we hide the subject it will be even less of a problem anyway). I am fed up with having to dance around security matters for the saving of a few bytes.

Title: Re: Minor Quick Edit Bug
Post by: Anthony` on February 20th, 2013, 10:17 PM

I see, so the error makes good sense in terms of entity-escaping issues. I think that's the way to go to be honest, because it is quite easy to leave an unintended security flaw.

Title: Re: Minor Quick Edit Bug
Post by: Nao on February 21st, 2013, 06:53 PM

What? Never got fixed..?
I thought I'd touched something like that not so long ago...

Title: Re: Minor Quick Edit Bug
Post by: Arantor on February 21st, 2013, 06:55 PM

It never got fixed.

I fixed most of the issues by re-forcing westr::safe with ENT_QUOTES on some of the places, notably quick reply, full reply in some other cases, but I forgot that.

As far as I'm concerned we should just be forcing it on save regardless. Safe by default, and damn the byte cost for once.