From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, PostgreSQL WWW <pgsql-www(at)postgresql(dot)org> |
Subject: | Re: escapes in submitted docs comments |
Date: | 2017-02-15 15:31:19 |
Message-ID: | DFF0726D-0ED1-41A7-B9AF-C1A38381DEFC@yesql.se |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-www |
> On 15 Feb 2017, at 14:09, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
>
> On Wed, Feb 15, 2017 at 1:13 PM, Daniel Gustafsson <daniel(at)yesql(dot)se <mailto:daniel(at)yesql(dot)se>> wrote:
> > On 15 Feb 2017, at 12:52, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com <mailto:alvherre(at)2ndquadrant(dot)com>> wrote:
> >
> > Daniel Gustafsson wrote:
> >>> On 02 Feb 2017, at 22:47, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com <mailto:peter(dot)eisentraut(at)2ndquadrant(dot)com>> wrote:
> >>>
> >>> The docs comments coming in through pgsql-docs look like this:
> >>>
> >>> select instr('010000101001001','1',-1) from dual
> >>>
> >>> Can the escaping be fixed?
> >>
> >> AFAIU with Django, to avoid the escaping the form content would have to be
> >> marked safe which seems.. unsafe. Given the nature of SQL and the comments we
> >> get, perhaps the simple approach is to just replace the unicode quote since it
> >> will be quite common? Something along the lines of the (untested) diff below?
> >
> > There are plenty of other characters being escaped, though. Can't we
> > just do something like "parse this html piece as text" instead?
> > ("unescape" I suppose). We're only sending it in a text/plain email, so
> > there's no worry of misinterpreted HTML.
>
> Perhaps not, I guess I’m just scared about potentially “helpful” MUA’s who see
> HTML and renders even if it’s in text/plain. That being said, I don’t think
> I’ve seen one in quite some time.
>
> If a helpful MUA does that in text that's clearly set to text/plain, there is really no helping the poor soul who uses it.
>
> And the mails we generate don't even have a text/html part, so I think we should be perfectly safe.
Perhaps we can just run the textarea output via the unescape function from
django.utils.html before rendering the mail template?
cheers ./daniel
From | Date | Subject | |
---|---|---|---|
Next Message | Daniel Gustafsson | 2017-02-15 16:06:16 | Fix unclosed div on survey page |
Previous Message | Magnus Hagander | 2017-02-15 13:09:03 | Re: escapes in submitted docs comments |