Skip to content

Fix HTML entity double-encoding and display issues #167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kargig merged 1 commit into from
Jan 17, 2026
Merged

Fix HTML entity double-encoding and display issues #167

kargig merged 1 commit into from
Jan 17, 2026

Conversation

@kargig
Copy link
Owner

@kargig kargig commented Jan 17, 2026

Fixes an issue where special characters like apostrophes were being stored and displayed as double or triple-encoded HTML entities (e.g., ' instead of ').

Backend Changes:

  • Update sanitize_input in dive_routes.py to unescape text before escaping it. This makes the operation idempotent and prevents the double-encoding cycle during repeated saves.

Frontend Changes:

  • Implement recursive decoding in htmlDecode.js (up to 3 passes) to properly handle legacy triple-encoded data from the database.
  • Update multiple React components (Admin tables, search inputs, previews, and edit forms) to decode HTML entities before rendering via JSX. This ensures correct visual display while relying on React's native escaping for XSS protection.
  • Fix a pre-existing XSS vulnerability in DiveDetail.js by removing explicit decoding from Leaflet map popup template strings. These now leverage the browser's native entity decoding in innerHTML, which is safe from script injection.

@kargig
Fix HTML entity double-encoding and display issues
74fea7d 
Fixes an issue where special characters like apostrophes were being
stored and displayed as double or triple-encoded HTML entities (e.g.,
' instead of ').

Backend Changes:
- Update sanitize_input in dive_routes.py to unescape text before
  escaping it. This makes the operation idempotent and prevents the
  double-encoding cycle during repeated saves.

Frontend Changes:
- Implement recursive decoding in htmlDecode.js (up to 3 passes) to
  properly handle legacy triple-encoded data from the database.
- Update multiple React components (Admin tables, search inputs,
  previews, and edit forms) to decode HTML entities before rendering
  via JSX. This ensures correct visual display while relying on
  React's native escaping for XSS protection.
- Fix a pre-existing XSS vulnerability in DiveDetail.js by removing
  explicit decoding from Leaflet map popup template strings. These
  now leverage the browser's native entity decoding in innerHTML,
  which is safe from script injection.
@kargig kargig force-pushed the decodehtml_improvements branch from 3a13e1e to 74fea7d Compare January 17, 2026 09:51
@kargig kargig merged commit a5f86fc into main Jan 17, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kargig