Fancy preview destroys links containing ampersands

bjh · June 20, 2017, 12:27am

When I put a link in a previous topic it was converted into a preview, but the link is clicked in the preview is broken. An ampersand is incorrectly converted.

The conversation: https://discourse.mozilla-community.org/t/who-has-the-records-for-the-mozilla-firefox-50-million-downloads-tokens/16521

The link: http://www.britishmuseum.org/research/collection_online/collection_object_details.aspx?objectId=1612368&partId=1

The link split: http:// www.britishmuseum.org/research/collection_online/collection_object_details.aspx?objectId=1612368&partId=1

(Edit: Apparently Meta Help uses a different form of Preview from Mozillians.)

leo · June 20, 2017, 2:00pm

The problem comes when you place a link on its own line, like so, and it becomes a ‘onebox’:

If it’s on a line with other things, it’s fine: http://www.britishmuseum.org/research/collection_online/collection_object_details.aspx?objectId=1612368&partId=1

This is a known bug upstream, but it seems there’s some reluctance to fix it for possible security implications:

bjh · June 20, 2017, 3:04pm

Thanks for the link.

The “security” answer is backwards. The current code sends the user somewhere unintended, which means the current code is a potential security flaw.

Encoding/handling URLs correctly isn’t a security issue.