RGJ
December 12, 2025, 3:54pm
1
Disable “prioritize username in UX”
Enable “display name on posts”
Have a user with quotes in their name
Try to quote them
Using single quotes in the markdown resolves this specific issue, but it would of course cause issues with names with a single quote, which is probably more common.
Is there a safe way of escaping quote characters in MD ?
2 Likes
I’m afraid there isn’t
The simplest and safest is to strip them, not ideal, but better than broken I guess?
main ← strip-quotation-marks-from-names-in-quote-bbcode
opened 05:48PM - 12 Dec 25 UTC
When "display name on posts" is enabled and "prioritize username in UX" is disab… led, quoting a user with quotation marks in their display name (e.g., `John "The Dev" Smith`) breaks the quote markdown:
[quote="John "The Dev" Smith, post:1, topic:2"]
The BBCode parser's regex `"([^"]+)"` stops at the first `"` inside the name, capturing only `John ` instead of the full name.
Alternatives considered:
- Backslash escaping (`\"`): Would require updating the parser regex to support escape sequences and adding unescape logic. Adds complexity and risks breaking existing quotes.
- URL encoding (`%22`): Requires decoding when rendering. Using `decodeURIComponent` on user input creates XSS risk. A safe decoder that only decodes specific characters adds complexity and attack surface for minimal benefit.
The simplest solution is to strip quotation marks from names when building the quote BBCode. This is safe (no user input decoding), simple (no parser changes), and the minor cosmetic loss in the quote attribution is an acceptable trade-off.
The `stripQuotationMarks` function is defined alongside the existing `QUOTATION_MARKS` array in bbcode-block.js to keep related logic together and avoid duplication.
Ref - https://meta.discourse.org/t/391153
1 Like
RGJ
December 12, 2025, 5:54pm
5
Wow, that was fast
Thank you!