Making WordPress.org

Opened 3 years ago

Last modified 10 months ago

#5587 new defect (bug)

Skip sanitization of code snippets in forum replies email notifications

Reported by: yordansoares's profile YordanSoares Owned by:
Milestone: Priority: high
Component: Support Forums Keywords:
Cc:

Description

I replied to this user in the support forum, but she used the code that received in her inbox.

I have noticed that when we use <code> tags to display raw code, the message arrive to inbox with the < and < characters converted into HTML entities.

https://i.imgur.com/yAs3GrB.png
Example of a code snippet in a forum reply...

The problem I see here is that if the user uses this code from the email instead the one in the forum reply, it will not work. As you can see in the below replies, she entered the forum through a video I recorded and realized that the code was different from what she received in the email notification.

https://i.imgur.com/5pO6Ev4.png
...code delivered to the user inbox

My proposal is to add an exception to the parsing performed to the messages before sending the mail so that it skip the sanitization in the code enclosed in <code> tags including, of course, the <code> tags in order to display as a code snippet in the mail message.

Change History (10)

This ticket was mentioned in Slack in #forums by vladytimy. View the logs.


3 years ago

#2 follow-up: @vladytimy
3 years ago

Do we have any security concerns about skipping sanitisation of code snippets in mails?
Pinging @dd32 as someone that might have the answer to that question :D

We could replace code snippets in emails with "In order to correctly view the proposed code snippet, click the reply link below" but forcing people to only read code in the forum may be received as evil in some cases.

This ticket was mentioned in Slack in #meta by vladytimy. View the logs.


3 years ago

#4 @tellyworth
3 years ago

  • Priority changed from normal to high

#5 in reply to: ↑ 2 @dd32
3 years ago

I'm fairly sure that this isn't going to be a WordPress.org support forum specific thing, and is probably more likely going to be a core bbPress bug? That will probably have to be fixed upstream..

Replying to vladytimy:

Do we have any security concerns about skipping sanitisation of code snippets in mails?

I don't think there's any issue with security and emails, these are (unfortunately) sent as plain-text emails currently though.

Part of me questions if we'd be better off sending these as html emails though? Just since the output is already designed for inclusion in a HTML email :)

We could replace code snippets in emails with "In order to correctly view the proposed code snippet, click the reply link below" but forcing people to only read code in the forum may be received as evil in some cases.

I don't think that's completely horrible, but I don't think it's exactly a good user experience either. Just because the existing result isn't a good UX, doesn't mean we should replace it with a different bad UX.

#9 @YordanSoares
10 months ago

I wanted to mention, as an example, that Help Scout formats code snippets using <pre> HTML tags, within the email notifications, like displayed in the following screenshot:

https://i.ibb.co/0qJgttp/image.png

If other software products are doing this, I think we should do it too, in order to improve the user experience.

Last edited 10 months ago by YordanSoares (previous) (diff)

#10 @dd32
10 months ago

that Help Scout formats code snippets using <pre> HTML tags, within the email notifications, like displayed in the following screenshot:

bbPress notifications are plain-text, IIRC the blocks-everywhere plugin has upgraded the notifications from plaintext to HTML since my last comment, and I think includes some logic for code blocks.. so this is probably easily PR'd upstream:
https://github.com/Automattic/blocks-everywhere/blob/trunk/classes/handlers/class-bbpress.php#L362-L406

Note: See TracTickets for help on using tickets.