1 [[!template id=gitbranch branch=smcv/unescaped-meta author="[[Simon_McVittie|smcv]]"]]
2 (Warning: this branch has not been tested thoroughly.)
4 While discussing the [[plugins/meta]] plugin on IRC, Joey pointed out that
5 it stores most meta fields unescaped, but 'title', 'guid' and 'description'
6 are special-cased and stored escaped (with numeric XML/HTML entities). This
7 is to avoid emitting markup in the `<title>` of a HTML page, or in an RSS/Atom
8 feed, neither of which are subject to the [[plugins/htmlscrubber]].
10 However, having the meta fields "partially escaped" like this is somewhat
11 error-prone. Joey suggested that perhaps everything should be stored
12 unescaped, and the escaping should be done on output; this branch
15 Points of extra subtlety:
17 * The title given to the [[plugins/search]] plugin was previously HTML;
18 now it's plain text, potentially containing markup characters. I suspect
19 that that's what Xapian wants anyway (which is why I didn't change it),
20 but I could be wrong...
22 * Page descriptions in the HTML `<head>` were previously double-escaped:
23 the description was stored escaped with numeric entities, then that was
24 output with a second layer of escaping! In this branch, I just emit
25 the page description escaped once, as was presumably the intention.
27 * It's safe to apply this change to a wiki and neglect to rebuild it
28 (assuming I implemented it correctly!), but until the wiki is rebuilt,
29 titles, descriptions and GUIDs for unchanged pages will appear
30 double-escaped on any page that inlines them in `quick=yes` mode, and
31 is rebuilt for some other reason. The failure mode is too much escaping
32 rather than too little, so it shouldn't be a security problem.