[HOLD for payment 2023-04-26] [HOLD for payment 2023-04-21] [$1000] Special html characters like   are not escaped in name and can bug out the UI #15131
Comments
kavimuru
added
Daily
|
Triggered auto assignment to @flaviadefaria ( |
Bug0 Triage Checklist (Main S/O)
|
flaviadefaria
added
the
External
melvin-bot
bot
changed the title
|
Job added to Upwork: https://www.upwork.com/jobs/~01823be2bad9582bf7 |
|
Current assignee @flaviadefaria is eligible for the External assigner, not assigning anyone new. |
|
Triggered auto assignment to Contributor-plus team member for initial proposal review - @sobitneupane ( |
melvin-bot
bot
added
the
Help Wanted
|
Triggered auto assignment to @pecanoro ( |
Restating the ProblemHTML special characters are not rendered as plain text and are rather rendered to their corresponding character ProposalThere are two possible solutions:
|
ProposalPlease re-state the problem that we are trying to solve in this issue.If the user name coincides with HTML entities like  , it's not showing as is in the chat. What is the root cause of that problem?This is because we're unescaping HTML entities when displaying the user name in the chat. We should not do this because the user name should be shown as is. What changes do you think we should make in order to solve the problem?We should remove (here we show the user name in the message header), App/src/components/ReportActionItem/IOUQuote.js Lines 73 to 80 in f40f9c9 (here we show the user name in the IOU message), and other places if needed (basically any places that display the user name should not be using Str.htmlDecode)
What alternative solutions did you explore? (Optional)For some places like the IOU message, we might want to escape the HTML entity inside the user name when we generate the message, and we can keep the So essentially if the user name is We should not do this for the Result
|
Restating the ProblemThere should be no blank space and the   should be shown normally ProposalRight now the text(representing display name) that's being passed into Report component is explicitly html-escaped. |
ProposalPlease re-state the problem that we are trying to solve in this issue.Changing username to contain special characters, like  , makes App unable to display username correctly in chats and IOU messages. What is the root cause of that problem?The root cause of this issue is that
What changes do you think we should make in order to solve the problem?To fix this issue, we can improve the validation rule of username. Currently, we only check App/src/libs/ValidationUtils.js Lines 359 to 367 in f839c56 We can improve it to check other special characters we don't want for username, like function isValidDisplayName(name) {
const format = /[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]+/; // We can customize it for the App if needed
return !format.test(name);
}And update validation error hints. We can add similar checking at backend as well. We can also use this method to check for other inputs that we don't want special characters. What alternative solutions did you explore? (Optional)None |
|
Thanks for your proposal @khashayar-bo and @dgaisan. Please do make use of our proposal template to post proposals. Also it is good to use permalinks to explain root cause of the problem and the solution. |
|
Thanks for the proposal @tienifr. The proposal looks good to me. @pecanoro First thing, I am not sure if it is really a bug. If we want to allow the use of special html characters like   and want it to be shown as it is, we should get rid of 🎀👀🎀 C+ reviewed |
|
Hi @pecanoro , does it make sense to just avoid using some special html characters in username as mentioned in my proposal? It's a common choice to avoid using special characters in username among popular Apps, like Facebook, IG, Github, and etc. By avoiding special characters
Note that currently we do avoid using |
|
@eh2077 nice suggestion but I think it's more like a feature request. With that change existing names that have the HTML entities will still show incorrectly. Also users who use special characters in the name before will suddenly see their name showing error when they try to edit the name. Also |
|
Hi @tienifr, thanks for the comment. I think what I proposed #15131 (comment) is the right fix if using html entities in username is unexpected from product perspective. I really don't think we would expect to use html tags in username initially, like having a username While if this is an expected feature, then I agree with you it'll be a feature request. |
|
@sobitneupane @pecanoro any further thoughts here? |
|
Taking a look at what it would be the desirable behaviour here so we can go with one proposal or another. |
|
Ok, so yeah, to avoid potential weird injections, we should never decode the name and if we input |
|
@pecanoro, @sobitneupane, @zanyrenney, @tienifr Still overdue 6 days?! Let's take care of this! |
|
How are we doing with the regression @pecanoro ? Are we ready to pay this out now? |
melvin-bot
bot
changed the title
|
|
|
The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.1-3 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue: If no regressions arise, payment will be issued on 2023-04-26. 🎊 After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.
As a reminder, here are the bonuses/penalties that should be applied for any External issue:
|
|
BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:
|
|
bump @pecanoro can you confirm the status of this one? I am not clear whether this is ready to pay out and I took this over when @flaviadefaria reassigned it so not clear here. Thanks! |
|
@zanyrenney Yes, sorry! Now it's ready to be paid since it's past 2023-04-26. I think BugBot got confused with the timeline due to the regression. There was a regression after merging so take that into account when calculating the payouts and such 🤗 |
|
@zanyrenney Did it get paid? |
|
Moving back to daily so we can this sort out soon. |
|
Hey @pecanoro I was at a conference, getting this paid out now! |
|
Had to create a new job post as Flavia's one was too old. https://www.upwork.com/jobs/~01ff4a14f72d218529 
Invited all. please accept invite for payout @tienifr @sobitneupane @esh-g |
|
@zanyrenney I am eligible for reporting regression here, Can you please send me an offer for reporting regression? |
|
hey @jayeshmangwani - invited you. |
|
hired @sobitneupane @esh-g, waiting on @tienifr to accept job. |
|
@zanyrenney I submitted proposal to the job, thanks! |
@zanyrenney I submitted a proposal for the job, thanks! |
|
Cool, thanks everyone. All the jobs have now been paid out. CLosing the issue! |
If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!
Action Performed
Expected Result
There should be no blank space and the   should be shown normally
Actual Result
There is blank space for the name.
Workaround:
unknown
Platforms:
Which of our officially supported platforms is this issue occurring on?
Version Number: 1.2.71-1
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos:
Recording.1515.mp4
Screen.Recording.2023-02-14.at.1.05.13.AM.mov
Expensify/Expensify Issue URL:
Issue reported by: @esh-g
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1676317301468499
View all open jobs on GitHub
Upwork Automation - Do Not Edit
The text was updated successfully, but these errors were encountered: