Promoting an HTML alert causes HTML entities to get munged

Question

Promoting an HTML alert causes HTML entities to get munged

ahoying opened this issue 10 years ago · 2 comments

When an alert that contains HTML elements, like a forwarded email message, is promoted to an event, the html entities get encoded, which makes the resulting entry in the new event unreadable. The issue is caused by the make_data_row method in lib/Scot/Model/Alert.pm. It uses encode_entities on all data, which is what munges the HTML elements. It would be better to strip unwanted HTML tags using either HTML::Restrict or HTML::TagFilter and pass the filtered HTML through to the new event entry. Let me know if you'd like me to mock up and submit a patch for this.

Answer 1 · 2015-01-12T22:43:25.000Z

Thanks for the feedback. I don't see why we even need to encode entities
when promoting to an event. Events use HTML5 Sandboxing to prevent all
Java/JavaScript/Flash/PDF, etc. in the browser itself. We could probably
just remove the Entity encoding altogether.

-Nick

On Mon, Jan 12, 2015 at 3:30 PM, ahoying notifications@github.com wrote:

When an alert that contains HTML elements, like a forwarded email message,
is promoted to an event, the html entities get encoded, which makes the
resulting entry in the new event unreadable. The issue is caused by the
make_data_row method in lib/Scot/Model/Alert.pm. It uses encode_entities on
all data, which is what munges the HTML elements. It would be better to
strip unwanted HTML tags using either HTML::Restrict or HTML::TagFilter and
pass the filtered HTML through to the new event entry. Let me know if you'd
like me to mock up and submit a patch for this.

—
Reply to this email directly or view it on GitHub
#10.

Answer 2 · 2015-01-13T20:32:19.000Z

My concern is that including the promoted alert can include a full HTML document, with headers and everything. I think it might be cleaner to strip everything except what is between the <body> tags at least. most browsers can handle 'messy' html, but the results can be unexpected.

For example an alert might be something like this:

<html><...CSS and Javascript...><body><p>stuff</p><table>...</table></body></html>

When that is promoted and added to the initial entry under the event, it should only include the <p>stuff</p><table>...</table> portion.