< and > characters can be used to bypass length requirements in text fields

Open Source Bug Reports
#1

Expected behavior:

When passing text bound by < and > characters into a text field with a min length that is to be used in a post, one of the following should occur. Ie <OnlyTwentyCharacters>

  1. The resulting post escapes these characters correctly, and renders the text as given
  2. The wizard does not allow this answer to be submitted, as once rendered they will be less than the min length.

Actual Result:

The wizard allows the post to be created, which renders as empty, despite the 20 character minimum on the field.

Reproduction Steps:

Import the following wizard and attempt to submit <OnlyTwentyCharacters> in the text field. The resulting post will be empty (does it interpret these characters as un-escaped HTML?).

[
	{
		"id": "test_1",
		"name": "Test 1",
		"save_submissions": true,
		"steps": [
			{
				"id": "step_1",
				"fields": [
					{
						"id": "step_1_field_5",
						"label": "1",
						"type": "text",
						"min_length": "20"
					}
				]
			}
		],
		"actions": [
			{
				"id": "action_1",
				"run_after": "wizard_completion",
				"type": "create_topic",
				"post": "step_1_field_5",
				"title": [
					{
						"type": "assignment",
						"output": "Test",
						"output_type": "text",
						"output_connector": "set",
						"pairs": []
					}
				],
				"category": [
					{
						"type": "assignment",
						"output_type": "category",
						"output_connector": "set",
						"pairs": [],
						"output": [
							8
						]
					}
				]
			}
		]
	}
]
#2

@fzngagan This is one for you I think, as it works-in with your current PR (create a seperate PR tho I think).

1 Like
#3
#4

@fzngagan Don’t forget this one

2 Likes
#5

I"ll check this too tomorrow.

1 Like
#6

@fzngagan What’s the word on this one?

2 Likes
#9

@othomson

I was able to repro it with the wizard text field. Interestingly, I was able to repro it with discourse’s composer too. It looks like discourse itself escapes the text between <> characters. What would be the best course of action here @angus?

p.s.

My first thoughts: I think this has something to do with html parsing of markdown. <> chars are related to html.

Discourse uses the exact same post cooking mechanism on the frontend and backend so you can see the final result on the composer preview.

I can repro with this markdown parser too. StackEdit

#10

@fzngagan Just strip out all characters between <> when applying the limit using a regex. Let’s get this fixed and closed please.

1 Like
#11

It can’t escape those characters as escaping <> would mean losing the html tags.

I discussed this with the discourse team. There’s many ways a post can show up empty inspite of not being empty and the best course of action according to them too is moderation. Also, discourse does allow posting such content as there is a huge set of edge cases here.

I think a simple text only field with a note would be useful. If you’re using <> characters, surround them with backticks(``)

#12

@othomson
All that said, if you have an idea on how to better deal with this, I’m happy to include that here.

#13

Thanks for investigating @fzngagan. I’m happy for you to close this one, the current behavior isn’t desirable but on reflection is expected.

1 Like
#14
#15