this post was submitted on 28 Aug 2023
48 points (94.4% liked)

Lemmy

12572 readers
3 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
 

Right now Lemmy is unusable for writing code that contains less than/greater than signs because Lemmy's sanitizer treats that as potentially malicious HTML code.

Here's an example:

if(x < y)
{
/* ... */
}

The listing becomes littered with < gibberish.

top 7 comments
sorted by: hot top controversial new old
[–] ticoombs@reddthat.com 23 points 1 year ago

Don't forget & in community names and sidebars.

Constantly getting trolled by &

[–] TheYear2525@lemmy.world 21 points 1 year ago* (last edited 1 year ago)

What’re you talking about?

[–] Amir@lemmy.ml 11 points 1 year ago (2 children)

It actually looks perfectly fine on Sync for Lemmy so I assume this is only a front-end problem. There are alternative front-ends that you could try.

[–] jmcs@discuss.tchncs.de 8 points 1 year ago (1 children)

This is what it looks in the web UI: Screenshot showing the bracket turns to ampersand lt

[–] NinjaFox@lemmy.blahaj.zone 11 points 1 year ago

This is how it looks on Sync, seems like he's a front end issue.

[–] Crul@lemm.ee 6 points 1 year ago* (last edited 1 year ago)

There are alternative front-ends that you could try.

The 3 frontends for browser / PC that I know (default, mlmym and alexandrite) have this problem. Do you know of any other one that works?

Thanks!

[–] mark@programming.dev 6 points 1 year ago* (last edited 1 year ago)

Yeah I think this was hastily done to prevent the XSS injection attacks that were happening IIRC. They implemented encoding for content, but looks like they never got around to fully decoding it.

Issue could've been avoided by just restricting the encoding to when the user types content in (and before database insertion), and decoding when showing the content in the UI.