First time here? Check out the FAQ!

Revision history  [back]

HTML input in a question tricks the preview (but not the question page)

You should click this link:

Click me!

See that popup?

The text formatter for questions should probably sanitize its input, and not accept HTML...

Update: The above only works in the preview while entering a question, not when viewing a question. Fair enough. :)


What about this?

alert('Booh!');

Update: Same as above, this only throws a popup at my face in the preview, but as you can see the parser actually shows the HTML code, instead of interpreting it. Alright then.


So what about this, then?

Your browser does not support iframes.

Alright, iframes are properly escaped as well.


So as it turns out, the bug is not what I originally thought: the problem is that the preview doesn't actually preview what will end up on the question page.

Instead, the problem is that preview interprets the HTML and displays the result, while on the question page, the HTML is properly escaped / sanitized.

To see what I'm talking about, try editing this question. :)

HTML input in a question tricks the preview (but not the question page)

You should click this link:

Click me!

See that popup?

The text formatter for questions should probably sanitize its input, and not accept HTML...

Update: The above only works in the preview while entering a question, not when viewing a question. Fair enough. :)


What about this?

alert('Booh!');

Update: Same as above, this only throws a popup at my face in the preview, but as you can see the parser actually shows the HTML code, instead of interpreting it. Alright then.


So what about this, then?

Your browser does not support iframes.

Alright, iframes are properly escaped as well.


So as it turns out, the bug is not what I originally thought: the problem is that the preview preview doesn't actually preview what will end up on the question page.page.

Instead, the problem is that preview interprets the HTML and displays the result, while on the question page, the HTML is properly escaped / sanitized.

To see what I'm talking about, try editing this question. :)

HTML input in a question tricks the preview (but not the question page)questions

You should click this link:

Click me!

See that popup?

The text formatter for questions should probably sanitize its input, and not accept HTML...

Update: The above only works in the preview while entering a question, not when viewing a question. Fair enough. :)


What about this?

alert('Booh!');

Update: Same as above, this only throws a popup at my face in the preview, but as you can see the parser actually shows the HTML code, instead of interpreting it. Alright then.


So what about this, then?

Your browser does not support iframes.

Alright, iframes are properly escaped as well.


So as it turns out, the bug is not what I originally thought: the problem is that the preview doesn't actually preview what will end up on the question page.

Instead, the problem is that preview interprets the HTML and displays the result, while on the question page, the HTML is properly escaped / sanitized.

HTML input in the questions

You should click this link:

Click me!

See that popup?

The text formatter for questions should probably sanitize its input, and not accept HTML...

Update: Update: The above only works in the preview while entering a question, not when viewing a question. Fair enough. :)


What about this?

alert('Booh!');

Update: Same as above, this only throws a popup at my face in the preview, but as you can see the parser actually shows the HTML code, instead of interpreting it. Alright then.


So what about this, then?

Your browser does not support iframes.

HTML input in the questions

You should click this link:

Click me!

See that popup?

The text formatter for questions should probably sanitize its input, and not accept HTML...

Update: The above only works in the preview while entering a question, not when viewing a question. Fair enough. :)


What about this?

alert('Booh!');