Skip to content

HTML attribute values are double escaped in markdown #19860

New issue
New issue
Closed
#20199
Closed
HTML attribute values are double escaped in markdown#19860
#20199
Labels
type/bug
@jtran

Description

@jtran
jtran
opened on May 31, 2022

Description

I expect to be able to use the double-quote character, for example, in HTML attributes by escaping it using an entity reference. However, the sanitizer double escapes entity references.

For example:

<p title="Should have double quotes: &quot;hello&quot;">See tooltip/title of this.</p>

I expect to see double-quotes in the tooltip. Instead, I see &quot;.

I reported this on the bluemonday repo, but I see no activity there, so I figured I'd bring it up here so that everyone is aware.

Relevant bluemonday issue: microcosm-cc/bluemonday#143
Reproduced here: https://try.gitea.io/developers/foobar/pulls/1#issuecomment-116871

Gitea Version

1.16.8

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker, but also try.gitea.io.

Database

PostgreSQL

Metadata

Metadata

Assignees

No one assigned

    Labels

    type/bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions