Issue with "Create Book form": Summary field - textarea double-escapes quotes #5320
Comments
|
What happens here is that the content of the summary is escaped . What this does is parse text for characters used in javascript and turn them into HTML codes. The HTML codes are not runnable, so this prevent someone from putting in a summary that is actually a javascript code that might then do something malicious to the next person who opens up that summary. So absolutely removing the escaping is not a proper solution. If you see this in a form editing field then this is not a bug. It is doing what it is supposed to. If however you are seeing this when you display a record (not for editing) then it might be considered a bug. |
ddbeck
added
Content:Learn
I think it's appearing in all pages that display the book Create new book with a quote in the title and summary
book detail page
I've also tried it on the original repo https://github.com/mdn/express-locallibrary-tutorial and the results is the same What is the solution of this problem? Should we only escape certain characters? |
|
@yosuaputra1 Thanks. You're right. Honestly I do not know. There are numerous different approaches suggested on the Internet - for example, using the he library or some other approach to unencode the symbols. My concern is that if you unencode the symbols that they are then executable again! I don't think this is a concern because pug itself is escaping the symbols but still (I believe) displaying them correctly. @teoli2003 Can you advise here? If not I will have to spend some time validating various options. |
Josh-Cena
added
Content:Learn:Forms
Josh-Cena
added
Content:Learn:Express
|
This appears to be some kind of "double escaping". What is supposed to happen is that an apostrophe ' is replaced by the character However we're not calling it twice on anything as far as I can tell, so no idea what could cause this and how to stop it. So there is certainly a bug here, but not sure what to do. |
|
Arrgggg no, it's because I'm double escaping. Firstly I'm sanitizing content as it comes into forms and in the database, and then my PUG code also sanitises. So in book detail page I have the following, which escapes the title: if I change to: Then it all works. Arrrggg. I'm not going to fix this immediately as I need to think about this a bit. I should change in pug - but I need to explain why I am not escaping stuff in the docs. |
Josh-Cena
changed the title
|
@hamishwillee what do you think should be changed? We just need to remove one of the two escapes—either the programmatic one or the template one. |
MDN URL: https://developer.mozilla.org/en-US/docs/Learn/Server-side/Express_Nodejs/forms/Create_book_form
What information was incorrect, unhelpful, or incomplete?
.escape() transmute the quotes ( " ) into ( " ) after creating the book
Specific section or headline?
Inside the controller 'bookController.js' at the create_book_post section : body("summary", "Summary must not be empty.").trim().isLength({ min: 1 }).escape()
What did you expect to see?
A book with a random summary. - " Myself "
Instead, the output is ' A book with a random summary. - " Myself " '
Did you test this? If so, how?
Summary: A book with a random summary. - " Myself "
Simply remove .escape() solve the issue
MDN Content page report details
en-us/learn/server-side/express_nodejs/forms/create_book_formThe text was updated successfully, but these errors were encountered: