HTML entities not being parsed in featured topic title on profile

angus · February 4, 2020, 6:08am

HTML entities are not being parsed properly in featured topic titles in user profiles, i.e.

How to start building stuff for Discourse if you&rsquo;re newbie (like myself)

codinghorror · February 4, 2020, 6:11am

One for @markvanlan perhaps?

markvanlan · February 4, 2020, 3:38pm

I just merged a commit to fix this. Just an extra set of {}!

codinghorror · February 4, 2020, 3:39pm

Are we sure this does not open us up to XSS problems if there is html code in the title of the topic?

markvanlan · February 4, 2020, 3:53pm

I confirmed that fancy_title is escaped, and does not open us up to XSS issues. I had just assumed that was the case, so I appreciate the question.

Topic		Replies	Views
Ampersands getting over-escaped going from Wordpress to Discourse? wordpress	6	179	April 17, 2024
Discourse email notification shows HTML entities for ampersand etc support	5	732	January 6, 2021
Disabling HTML entities in posts support	9	1414	July 9, 2017
RSS Polling: Convert HTML entities in the title of the post bug	2	558	January 15, 2021
In featured topic no tags and categories defined dev	5	442	December 26, 2022