First time here? Check out the FAQ!
1

HTML input in a question tricks the preview (but not the question page)

  • retag add tags

You should click this link:

Click me!

See that popup?

The text formatter for questions should probably sanitize its input, and not accept HTML...

Update: The above only works in the preview while entering a question, not when viewing a question. Fair enough. :)


What about this?

<script type="text/javascript">alert('Booh!');</script>

Update: Same as above, this only throws a popup at my face in the preview, but as you can see the parser actually shows the HTML code, instead of interpreting it. Alright then.


So what about this, then?

<iframe src="http://vidberg.blog.lemonde.fr/">

Your browser does not support iframes.

</iframe>

Alright, iframes are properly escaped as well.


So as it turns out, the bug is not what I originally thought: the problem is that the preview doesn't actually preview what will end up on the question page.

Instead, the problem is that preview interprets the HTML and displays the result, while on the question page, the HTML is properly escaped / sanitized.

To see what I'm talking about, try editing this question. :)

bochecha's avatar
1
bochecha
asked 2013-06-19 00:09:53 -0600, updated 2013-06-19 00:22:13 -0600
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Obviously, I must try the same things in answers. :D

Click me!

<script type="text/javascript">alert('Booh!');</script> <iframe src="http://vidberg.blog.lemonde.fr/">

Your browser does not support iframes.

</iframe>

The preview of this answer shows the same wrong behaviour as the preview for questions.

Update: But fortunately, when displaying the question page, the parser properly escapes the HTML in this answer.

As for the question, try editing this answer to see what happens. :)

bochecha's avatar
1
bochecha
answered 2013-06-19 00:24:45 -0600, updated 2013-06-19 00:26:11 -0600
edit flag offensive 0 remove flag delete link

Comments

The previewer and the server use separate markdown to html converters, which don't have all the same features.

Evgeny's avatar Evgeny (2013-06-19 06:01:26 -0600) edit

Well, yes, that's the bug that I've reported here.

bochecha's avatar bochecha (2013-06-19 06:55:09 -0600) edit
add a comment see more comments