< and > doesn't translate from unicode in Echo.

Michael's Avatar

Michael

27 Jan, 2014 08:05 PM

Hey there,

we just noticed all Echo scripts containing < and > characters now say < and > instead.

Only when used in a message, in the admin view over echo templates, they look fine.

  1. 1 Posted by Julien on 27 Jan, 2014 08:15 PM

    Julien's Avatar

    Hey Michael,

    We just deployed a fix for a potential XSS attack, and this is an unforeseen side effect. I'd rather not roll back the fix. I see that you use < > mostly for links. Would it be ok to switch to a Markdown syntax instead: [text](link) ?

  2. 2 Posted by Julien on 27 Jan, 2014 08:17 PM

    Julien's Avatar

    I'm also looking at a hotfix to keep it working as is. Give me a few minutes.

  3. 3 Posted by Michael on 27 Jan, 2014 08:23 PM

    Michael's Avatar

    Hey Julien,

    now problem with Markdown is that it looks terrible on the user end. Gmail for example doesn't translate Markdown and we'd like links to show up properly.

  4. 4 Posted by Julien on 27 Jan, 2014 08:38 PM

    Julien's Avatar

    Hi Michael,

    This should be fixed.

    As for Markdown, Tender always sends what renders. So if you use Markdown in your echo, and the supporter has Markdown activated for the format (which is the default), the user would received the rendered version of the Markdown (ie HTML), not Markdown.

    But either way, it's now fixed.

    Let me know if you encounter any other issue.

    Thanks.

  5. 5 Posted by Michael on 27 Jan, 2014 08:51 PM

    Michael's Avatar

    Sorry, I meant in the Email that arrives for the customer rather than on Tender, which doesn't work well with Markdown as it's not parsed to HTML

  6. 6 Posted by Michael on 27 Jan, 2014 08:54 PM

    Michael's Avatar

    The Echo script titles still show the same behavior I'm afraid.

  7. 7 Posted by Michael on 27 Jan, 2014 09:14 PM

    Michael's Avatar

    I also just noticed that all double quotation marks are just removed..

  8. 8 Posted by Julien on 27 Jan, 2014 10:18 PM

    Julien's Avatar

    Hey Michael,

    The last deploy was more of an emergency fix. I'm working on a more comprehensive solution. I'll keep you posted when it's up.

  9. 9 Posted by Michael on 27 Jan, 2014 10:37 PM

    Michael's Avatar

    Thanks Julien,

    for now we've switched to single quotations in our Echo scripts, it's a good enough fix for the time being and the browser couldn't care less.

  10. 10 Posted by Julien on 27 Jan, 2014 11:51 PM

    Julien's Avatar

    Hey Michael,

    Yes, this will do in the meantime. I have a better fix ready, just needs the usual QA, etc. We're also adding some scenarios to our tests to cover echoes with HTML (I had always used Markdown).

    Also:

    Sorry, I meant in the Email that arrives for the customer rather than on Tender, which doesn't work well with Markdown as it's not parsed to HTML

    That's what I was explaining: if you have HTML emails, they get the "rendered" version. So you can still write Markdown, and it will render correctly both on the page, and in the email to the customer (provided formatting is set to Markdown for that comment of course).

  11. 11 Posted by Michael on 28 Jan, 2014 09:09 PM

    Michael's Avatar

    Hi Julien,

    Thanks for reiterating that. I had a second look at our setup and noticed that it does indeed function as you say. For some reason it didn't before.

    It also uncovered some things on our end that we could and should do better, which is nice that it got brought up. :)

  12. 12 Posted by Julien on 28 Jan, 2014 09:23 PM

    Julien's Avatar

    Glad to hear. I'm still expanding tests to improve the security fix.

    Hopefully it will be deployed tonight or tomorrow.

    Cheers.

  13. 13 Posted by Julien on 29 Jan, 2014 08:39 PM

    Julien's Avatar

    Hey Michael,

    Just wanted to let you know that I deployed a new fix for the <> and " in echoes. They should now behave properly both inside the listing and inside the textarea when pasted.

    I will go ahead and close this, but if you experience any issue, or need to reopen, feel free to do so.

    Cheers!

  14. Julien closed this discussion on 29 Jan, 2014 08:39 PM.

Discussions are closed to public comments.
If you need help with Tender please start a new discussion.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac