< and > doesn't translate from unicode in Echo.
Hey there,
we just noticed all Echo scripts containing < and > characters now say < and > instead.
Only when used in a message, in the admin view over echo templates, they look fine.
Discussions are closed to public comments.
If you need help with Tender please
start a new discussion.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
1 Posted by Julien on 27 Jan, 2014 08:15 PM
Hey Michael,
We just deployed a fix for a potential XSS attack, and this is an unforeseen side effect. I'd rather not roll back the fix. I see that you use < > mostly for links. Would it be ok to switch to a Markdown syntax instead:
[text](link)?2 Posted by Julien on 27 Jan, 2014 08:17 PM
I'm also looking at a hotfix to keep it working as is. Give me a few minutes.
3 Posted by Michael on 27 Jan, 2014 08:23 PM
Hey Julien,
now problem with Markdown is that it looks terrible on the user end. Gmail for example doesn't translate Markdown and we'd like links to show up properly.
4 Posted by Julien on 27 Jan, 2014 08:38 PM
Hi Michael,
This should be fixed.
As for Markdown, Tender always sends what renders. So if you use Markdown in your echo, and the supporter has Markdown activated for the format (which is the default), the user would received the rendered version of the Markdown (ie HTML), not Markdown.
But either way, it's now fixed.
Let me know if you encounter any other issue.
Thanks.
5 Posted by Michael on 27 Jan, 2014 08:51 PM
Sorry, I meant in the Email that arrives for the customer rather than on Tender, which doesn't work well with Markdown as it's not parsed to HTML
6 Posted by Michael on 27 Jan, 2014 08:54 PM
The Echo script titles still show the same behavior I'm afraid.
7 Posted by Michael on 27 Jan, 2014 09:14 PM
I also just noticed that all double quotation marks are just removed..
8 Posted by Julien on 27 Jan, 2014 10:18 PM
Hey Michael,
The last deploy was more of an emergency fix. I'm working on a more comprehensive solution. I'll keep you posted when it's up.
9 Posted by Michael on 27 Jan, 2014 10:37 PM
Thanks Julien,
for now we've switched to single quotations in our Echo scripts, it's a good enough fix for the time being and the browser couldn't care less.
10 Posted by Julien on 27 Jan, 2014 11:51 PM
Hey Michael,
Yes, this will do in the meantime. I have a better fix ready, just needs the usual QA, etc. We're also adding some scenarios to our tests to cover echoes with HTML (I had always used Markdown).
Also:
That's what I was explaining: if you have HTML emails, they get the "rendered" version. So you can still write Markdown, and it will render correctly both on the page, and in the email to the customer (provided formatting is set to Markdown for that comment of course).
11 Posted by Michael on 28 Jan, 2014 09:09 PM
Hi Julien,
Thanks for reiterating that. I had a second look at our setup and noticed that it does indeed function as you say. For some reason it didn't before.
It also uncovered some things on our end that we could and should do better, which is nice that it got brought up. :)
12 Posted by Julien on 28 Jan, 2014 09:23 PM
Glad to hear. I'm still expanding tests to improve the security fix.
Hopefully it will be deployed tonight or tomorrow.
Cheers.
13 Posted by Julien on 29 Jan, 2014 08:39 PM
Hey Michael,
Just wanted to let you know that I deployed a new fix for the
<>and"in echoes. They should now behave properly both inside the listing and inside the textarea when pasted.I will go ahead and close this, but if you experience any issue, or need to reopen, feel free to do so.
Cheers!
Julien closed this discussion on 29 Jan, 2014 08:39 PM.