duckduckgo-answerbar-templates icon indicating copy to clipboard operation
duckduckgo-answerbar-templates copied to clipboard

Published 20 hours ago verified publisher icon duckduckgo

Why are some fields not escaped?

Open GuiltyDolphin opened this issue 9 years ago • 4 comments

Some fields, for example the subtitle for the text-detail template aren't HTML-escaped, why? We've been having issues with having to escape values passed to templates (which we shouldn't) - is this the cause? Or is there a reason for not escaping these fields?

Obviously some fields, such as manually specified content, don't need to be escaped - it just strikes me as odd that some regular fields aren't.

/cc @moollaza

GuiltyDolphin avatar May 18 '16 14:05 GuiltyDolphin

We're using Handlebars functions here that return HTML, so we need to use triple brace instead of double.

The content escaping issues aren't related to the templates, it's related to they way we're passing the content to the front end (a JS comment) . For now this results in double escaping.

moollaza avatar May 18 '16 20:05 moollaza

@moollaza Why can the subtitle return HTML? I thought that was only for plain-text responses with the option to include HTML via a custom template?

GuiltyDolphin avatar May 19 '16 10:05 GuiltyDolphin

I'm not sure what you mean, but the formatSubtitle helper has the potential to return HTML to the template to be rendered. For example, when we create a subtitle containing text/links and separators.

moollaza avatar May 20 '16 21:05 moollaza

@moollaza Isn't subtitle the raw subtitle provided by the user? I.e., in subtitle => ...? Is it guaranteed to be safe through the operations of formatSubtitle?

GuiltyDolphin avatar May 21 '16 11:05 GuiltyDolphin