Cannot put HTML tag in Topic title


(Anton) #1

Trying to input this text for title:

In code block url was converted to <a> tag

But getting this:

In code block url was converted to tag

(Ben T) #2

Isn’t it a good thing that you can’t put arbitrary HTML in a topic title or post? For example, I could just throw in<div style="font-size:1000%;color:red;"> and destroy the layout of the page; if it was processed as a part of the html. If it’s left unprocessed there could be related injection faults.


(Anton) #3

Any symbol that I want in title could be just escaped, but not removed - it’s not a slug, it’s just a text to be shown.

Btw in my example it wasn’t wish to utilize HTML markup, but it was actually a part of the title’s content.


(Ben T) #4

Well, what I mean is why create logic to show what are HTML tags when it can just be flipped for nefarious means. <a> is not a symbol… it’s three symbols and is also a possible HTML tag. Why risk it?


(Juan Antonio) #5

Yeah, I agree… special HTML characters should just be escaped and presented like this: <a>, not just in titles… but probably everywhere, no?


(Anton) #6

There is no risk, it’s expected behavior. When I write < a > I just expect to see it. Why not?
Btw, for instance give a try to WordPress.

UPD.

I’ve tried with WP and unfortunately even with default WP theme the only way to put HTML tags into the post title was to use html entities - wow this is weird.

Moreover, I was able to use HTML in the title:


However there is difference between WP admin (or trusted editor) being able to use HTML in the title of his own posts AND forum user who is not trusted to use any HTML in the topic titles - because it’s not end users who own the website.

So to me it looks logical to auto-escape topic titles in forum.
If someone disagree, another option would be auto_escape_topic_titles admin settings set to YES by default.

commit: 27fbd232d4f49e9e66dc7dcdbd18150b6b1b0ecb


(Jeff Atwood) #7

I just checked and this is still true – HTML tags are stripped from titles so

Can I put <b>html</b> tags in titles

if entered as a new topic title, will generate a topic with this actual title:

Can I put html tags in titles


(Kane York) #8

Yes, I agree with the posts above - titles should be escaped, not stripped!


(Carlo Kok) #9

It seems to allow &lt;T&gt; in the topic, but then later removes those too.


(Jeff Atwood) #10

This would be a good change for someone to work on, if someone was so inclined.


(Jeff Atwood) #11

This is still a bug and really should be fixed by now. Anyone want to take it on? @radq?


(Vikhyat Korrapati) #12

https://github.com/discourse/discourse/pull/2277


(Jeff Atwood) #13