WordPress.org

Making WordPress.org

Opened 3 months ago

Last modified 7 weeks ago

#5587 new defect

Skip sanitization of code snippets in forum replies email notifications

Reported by: YordanSoares Owned by:
Milestone: Priority: high
Component: Support Forums Keywords:
Cc:

Description

I replied to this user in the support forum, but she used the code that received in her inbox.

I have noticed that when we use <code> tags to display raw code, the message arrive to inbox with the < and < characters converted into HTML entities.

https://i.imgur.com/yAs3GrB.png
Example of a code snippet in a forum reply...

The problem I see here is that if the user uses this code from the email instead the one in the forum reply, it will not work. As you can see in the below replies, she entered the forum through a video I recorded and realized that the code was different from what she received in the email notification.

https://i.imgur.com/5pO6Ev4.png
...code delivered to the user inbox

My proposal is to add an exception to the parsing performed to the messages before sending the mail so that it skip the sanitization in the code enclosed in <code> tags including, of course, the <code> tags in order to display as a code snippet in the mail message.

Change History (5)

This ticket was mentioned in Slack in #forums by vladytimy. View the logs.


7 weeks ago

#2 follow-up: @vladytimy
7 weeks ago

Do we have any security concerns about skipping sanitisation of code snippets in mails?
Pinging @dd32 as someone that might have the answer to that question :D

We could replace code snippets in emails with "In order to correctly view the proposed code snippet, click the reply link below" but forcing people to only read code in the forum may be received as evil in some cases.

This ticket was mentioned in Slack in #meta by vladytimy. View the logs.


7 weeks ago

#4 @tellyworth
7 weeks ago

  • Priority changed from normal to high

#5 in reply to: ↑ 2 @dd32
7 weeks ago

I'm fairly sure that this isn't going to be a WordPress.org support forum specific thing, and is probably more likely going to be a core bbPress bug? That will probably have to be fixed upstream..

Replying to vladytimy:

Do we have any security concerns about skipping sanitisation of code snippets in mails?

I don't think there's any issue with security and emails, these are (unfortunately) sent as plain-text emails currently though.

Part of me questions if we'd be better off sending these as html emails though? Just since the output is already designed for inclusion in a HTML email :)

We could replace code snippets in emails with "In order to correctly view the proposed code snippet, click the reply link below" but forcing people to only read code in the forum may be received as evil in some cases.

I don't think that's completely horrible, but I don't think it's exactly a good user experience either. Just because the existing result isn't a good UX, doesn't mean we should replace it with a different bad UX.

Note: See TracTickets for help on using tickets.