Opened 4 years ago
Last modified 14 months ago
#5587 new defect (bug)
Skip sanitization of code snippets in forum replies email notifications
Reported by: | YordanSoares | Owned by: | |
---|---|---|---|
Milestone: | Priority: | high | |
Component: | Support Forums | Keywords: | |
Cc: |
Description
I replied to this user in the support forum, but she used the code that received in her inbox.
I have noticed that when we use <code>
tags to display raw code, the message arrive to inbox with the <
and <
characters converted into HTML entities.
Example of a code snippet in a forum reply...
The problem I see here is that if the user uses this code from the email instead the one in the forum reply, it will not work. As you can see in the below replies, she entered the forum through a video I recorded and realized that the code was different from what she received in the email notification.
...code delivered to the user inbox
My proposal is to add an exception to the parsing performed to the messages before sending the mail so that it skip the sanitization in the code enclosed in <code>
tags including, of course, the <code>
tags in order to display as a code snippet in the mail message.
Change History (10)
This ticket was mentioned in Slack in #forums by vladytimy. View the logs.
4 years ago
This ticket was mentioned in Slack in #meta by vladytimy. View the logs.
4 years ago
#5
in reply to:
↑ 2
@
4 years ago
I'm fairly sure that this isn't going to be a WordPress.org support forum specific thing, and is probably more likely going to be a core bbPress bug? That will probably have to be fixed upstream..
Replying to vladytimy:
Do we have any security concerns about skipping sanitisation of code snippets in mails?
I don't think there's any issue with security and emails, these are (unfortunately) sent as plain-text emails currently though.
Part of me questions if we'd be better off sending these as html emails though? Just since the output is already designed for inclusion in a HTML email :)
We could replace code snippets in emails with "In order to correctly view the proposed code snippet, click the reply link below" but forcing people to only read code in the forum may be received as evil in some cases.
I don't think that's completely horrible, but I don't think it's exactly a good user experience either. Just because the existing result isn't a good UX, doesn't mean we should replace it with a different bad UX.
#6
@
2 years ago
Another case related with this ticket: https://wordpress.org/support/topic/name-of-product-property-shows-on-invoice/#post-15917696
#7
@
23 months ago
Another case related with this ticket: https://wordpress.org/support/topic/include-product-excerpt-as-product-details-in-packing-slip/#post-16196641
#8
@
14 months ago
Another case related with this ticket: https://wordpress.org/support/topic/display-product-short-description-on-packing-slip/#post-16953650
#9
@
14 months ago
I wanted to mention, as an example, that Help Scout formats code snippets using <pre>
HTML tags, within the email notifications, like displayed in the following screenshot:
#10
@
14 months ago
that Help Scout formats code snippets using <pre> HTML tags, within the email notifications, like displayed in the following screenshot:
bbPress notifications are plain-text, IIRC the blocks-everywhere plugin has upgraded the notifications from plaintext to HTML since my last comment, and I think includes some logic for code blocks.. so this is probably easily PR'd upstream:
https://github.com/Automattic/blocks-everywhere/blob/trunk/classes/handlers/class-bbpress.php#L362-L406
Do we have any security concerns about skipping sanitisation of code snippets in mails?
Pinging @dd32 as someone that might have the answer to that question :D
We could replace code snippets in emails with "In order to correctly view the proposed code snippet, click the reply link below" but forcing people to only read code in the forum may be received as evil in some cases.