318408 - Not notified of strip tags on review / comment field: try htmlentities or a warning

Status: RESOLVED WONTFIX

(addons.mozilla.org Graveyard :: Public Pages, defect)

Description

[Edward Z. Yang]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

Posted comments are immutable: you can't change them. As a result, it's important not to do anything really amazing to the text.

It appears that the system strips HTML from the comment. This can be unexpected behavior: you might have expected the tags to just be output after being entity-ized.

I'd propose two possible fixes for this problem:

1. Insert warning on comment field that HTML will be stripped
2. Convert HTML < and > to their entities

Reproducible: Always

Steps to Reproduce:
1. Submit a comment that includes < or > in them (like <noscript>)

Actual Results:  
Tags disappear.

Expected Results:  
< and > get converted into entities

OR

Comment field says that HTML will be stripped out.

Comment 1

[Michael Buschbeck]

I vividly second this request.

Most importantly, not everything using "<" or ">" is HTML.  I occasionally tend to enclose my email address in angle brackets like <michael@buschbeck.net>, and stripping that out of a comment renders it rather useless.

The most obvious way of handling "<" and ">" in comments would be escaping them so that they show up exactly as they were entered, not removing any text which happens to be located between a "<" and the next ">".

Comment 2

[Michael Morgan [:morgamic]]

Mass change - bugs to be read / (re)confirmed.

Comment 3

[Wil Clouser [:clouserw]]

Remora's comment system is going to be very different (using vanilla forums), and our current version is in code freeze.  WONTFIXing this bug.

Comment 4

[Cameron]

*** Bug 360110 has been marked as a duplicate of this bug. ***