FIX: strip quotation marks from names in quote BBCode #36666
+30
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When "display name on posts" is enabled and "prioritize username in UX"
is disabled, quoting a user with quotation marks in their display name
(e.g., `John "The Dev" Smith`) breaks the quote markdown:
[quote="John "The Dev" Smith, post:1, topic:2"]
The BBCode parser's regex `"([^"]+)"` stops at the first `"` inside the
name, capturing only `John ` instead of the full name.
Alternatives considered:
- Backslash escaping (`\"`): Would require updating the parser regex to
support escape sequences and adding unescape logic. Adds complexity
and risks breaking existing quotes.
- URL encoding (`%22`): Requires decoding when rendering. Using
`decodeURIComponent` on user input creates XSS risk. A safe decoder
that only decodes specific characters adds complexity and attack
surface for minimal benefit.
The simplest solution is to strip quotation marks from names when
building the quote BBCode. This is safe (no user input decoding),
simple (no parser changes), and the minor cosmetic loss in the quote
attribution is an acceptable trade-off.
The `stripQuotationMarks` function is defined alongside the existing
`QUOTATION_MARKS` array in bbcode-block.js to keep related logic
together and avoid duplication.
Ref - https://meta.discourse.org/t/391153
|
This pull request has been mentioned on Discourse Meta. There might be relevant details there: https://meta.discourse.org/t/quotes-in-full-name-mess-up-quote-markdown/391153/4 |
|
This pull request has been mentioned on Discourse Meta. There might be relevant details there: https://meta.discourse.org/t/daily-summary-5am-utc/291851/681 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When "display name on posts" is enabled and "prioritize username in UX" is disabled, quoting a user with quotation marks in their display name (e.g.,
John "The Dev" Smith) breaks the quote markdown:The BBCode parser's regex
"([^"]+)"stops at the first"inside the name, capturing onlyJohninstead of the full name.Alternatives considered:
Backslash escaping (
\"): Would require updating the parser regex to support escape sequences and adding unescape logic. Adds complexity and risks breaking existing quotes.URL encoding (
%22): Requires decoding when rendering. UsingdecodeURIComponenton user input creates XSS risk. A safe decoder that only decodes specific characters adds complexity and attack surface for minimal benefit.The simplest solution is to strip quotation marks from names when building the quote BBCode. This is safe (no user input decoding), simple (no parser changes), and the minor cosmetic loss in the quote attribution is an acceptable trade-off.
The
stripQuotationMarksfunction is defined alongside the existingQUOTATION_MARKSarray in bbcode-block.js to keep related logic together and avoid duplication.Ref - https://meta.discourse.org/t/391153