Sign in to follow this  
nmalinoski

Forum bug: HTML titles are displaying HTML entities

Recommended Posts

The HTML titles are showing HTML entities where possible. It looks like the titles are being escaped at some point before being set with JavaScript; JS already does entity conversions, so the pre-conversion is unnecessary and looks bad.

Example: DFAF: Tim, could we get the cut stuff from the original BL scope setup as dlc?  Or BL 1.5?

Source: http://www.doublefine.com/forums/viewthread/14501/

Share this post


Link to post
Share on other sites

Yeah, I've noticed this with a couple of threads - usually ones with quotation marks or apostrophes.

Share this post


Link to post
Share on other sites

The titles were added as a hack by Chris Remo (I think), since the forum engine used for DFAF (Expression Engine) doesn't natively support it:


   window.document.title = "DFAF: Tim, could we get the cut stuff from the original BL scope setup as dlc?  Or BL 1.5?";

As you see the title is set to a string that already contains those html entities, which means that's how they are loaded into the forum template. The reason why it's handled like this instead of directly on the title element is described in this thread.

I'm pretty sure javascript doesn't do html entity to unicode conversion natively, but a popular trick is to let the browser handle the conversion by inserting a text node enclosed in a hidden element, like so:


var el = document.createElement('div');

el = "$some_template_variable";

el.style.display = "none";

document.body.appendChild(el);

document.title = el.childNodes[0].nodeValue;

Share this post


Link to post
Share on other sites

After looking into it briefly, I came across this: stackoverflow.com/.../how-to-decode-html-entities-using-jquery/1395954#1395954

It looks like using a

constitutes an XSS vulnerability, but <textarea/> isn't, because <textarea/> elements aren't allowed to have child elements.

It's even simpler, code-wise, because Chris said they're using JQuery; so he could simply do:

window.document.title = $('<textarea/>').html(new_title).val();

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this