Skip to content

Decode some html entities #835

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
etpinard merged 7 commits into from
Aug 9, 2016
Merged

Decode some html entities #835

etpinard merged 7 commits into from
Aug 9, 2016

Conversation

@etpinard
Copy link
Contributor

@etpinard etpinard commented Aug 9, 2016
edited
Loading

In #804, we dropped html entity decoding for performance reasons, but apparently some folks have been using &,  , etc in their graphs. We need to bring back support for these ASAP.

So, I propose supporting a few entities by translating them one-by-one to unicode.

This PR also DRYs up some code by making sure that svg_text_utils.js (for svg text) and html2unicode (for WebGL text) use the same mappings.

etpinard added 6 commits August 9, 2016 10:42
@etpinard
svg_text_utils: don't require Plotly
5b0d4cb
@etpinard
add string_mappings constants file:
ba6320e 
- use it in html2unicode and svg_text_utils to
  translate a limited set of HTML enitity to unicode
- list unicode-to-entities mappings
  (used in svg text style and anchors)
@etpinard
Revert "Update tests to not depend on entity decode"
010f5a8 
This reverts commit 7649e5d.
@etpinard
bring back & in json mock
20f7ae5 
- this commit partly reverts 6cf80de
@etpinard
test: add case for supported set of html entities
e73ab70
@etpinard
lint: make html2unicode require statement consistent
73d46fe
@etpinard etpinard added bug something broken status: reviewable labels Aug 9, 2016
etpinard
etpinard reviewed Aug 9, 2016
View reviewed changes
test/jasmine/tests/svg_text_utils_test.js
});

it('wrap XSS attacks in href', function() {
var node = mockTextSVGElement(
Copy link
Contributor Author

@etpinard etpinard Aug 9, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reverting a commit from PR #804, as now <, > and " are now back in play.

@etpinard
Copy link
Contributor Author

etpinard commented Aug 9, 2016
edited
Loading

@scjody the most important commit is ba6320e

scjody
scjody reviewed Aug 9, 2016
View reviewed changes
src/constants/string_mappings.js Outdated
'amp': '&',
'lt': '<',
'gt': '>',
'quot': '\"',
Copy link

@scjody scjody Aug 9, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

&quot; support makes me really uncomfortable since it's been part of so many of our XSS attacks (inserting a " sometimes allows an entity to be terminated early).

Is this definitely needed?

(The rest looks OK to me.)

Copy link
Contributor Author

@etpinard etpinard Aug 9, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it isn't definitely needed. I thought it was common enough to be part of the list. I'll drop it.

@scjody
Copy link

scjody commented Aug 9, 2016

💃

@etpinard etpinard merged commit c47a2db into master Aug 9, 2016
@etpinard etpinard deleted the decode-some-html-entities branch August 9, 2016 17:53
@alexcjohnson alexcjohnson mentioned this pull request Jun 26, 2017
Merged
@etpinard etpinard mentioned this pull request Aug 25, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug something broken

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@etpinard @scjody