but work in body text &

  • @[email protected]
    link
    fedilink
    341 year ago

    There was some scare in lemmy development circles recently about script injection vulnerabilities. The various apps and frontend developers “solved” the problem by peppering untrusted user input with escape sequences all over the place. User submits post? Escape title! Receive new post from a federated instance? Escape title!

    Obviously if you escape the title twice and display once, it will show up weird. The problem is that the various devs haven’t agreed yet which parts of the messaging protocol are supposed to be already escaped and which are not. Ideally all user input should be stored and transmitted in raw form, and only escaped right before displaying. But due to various zealously-cautious devs we get this instead:

    • @Synthead
      link
      English
      111 year ago

      There’s a difference between cautious and incorrect. It’s broken. If they’re that concerned, where are the unit tests?