Description
Titles etc have a strange double-decoding bug for HTML entities.
For example, it is impossible to include a literal <b> within a title or tooltip - it is always converted to <b>. This has two consequences:
-
If I actually want a raw angle-bracket, for example to say
Threshold < 3, then this is brittle, because sometimes the bracket could be interpreted as beginning a tag. -
There is a possible security risk - it is impossible to enforce an "htmlspecialchars()" conversion to make user input safe, because entities are double-decoded.
Try for example:
layout = {
title: "This <b>could break</b> <script>alert(\"?\")</script> protection",
};
-
This wrongly shows the words "could break" in bold. This is a bug.
-
However, there seems to be some special-case handling of "script" because the alert does not trigger, and the script tag is shown literally. This indicates a belt-and-braces fix in the special-case of "script", I think. So while the behaviour is safe, it's confusing, given (1).
Thanks for your time and your help.