HTML entities not being parsed in featured topic title on profile

angus · February 4, 2020, 6:08am

HTML entities are not being parsed properly in featured topic titles in user profiles, i.e.

How to start building stuff for Discourse if you&rsquo;re newbie (like myself)

codinghorror · February 4, 2020, 6:11am

One for @markvanlan perhaps?

markvanlan · February 4, 2020, 3:38pm

I just merged a commit to fix this. Just an extra set of {}!

codinghorror · February 4, 2020, 3:39pm

Are we sure this does not open us up to XSS problems if there is html code in the title of the topic?

markvanlan · February 4, 2020, 3:53pm

I confirmed that fancy_title is escaped, and does not open us up to XSS issues. I had just assumed that was the case, so I appreciate the question.

Topic		Replies	Views
Ampersands getting over-escaped going from Wordpress to Discourse? WordPress	10	445	May 2, 2024
Discourse email notification shows HTML entities for ampersand etc Support	5	835	January 6, 2021
RSS Polling: Convert HTML entities in the title of the post Bug	2	633	January 15, 2021
In featured topic no tags and categories defined Dev	5	477	December 26, 2022
HTML Entities and escape characters in text/plain outgoing email alternative Bug	7	552	January 14, 2024