Fancy preview destroys links containing ampersands

(B.J. Herbison) #1

When I put a link in a previous topic it was converted into a preview, but the link is clicked in the preview is broken. An ampersand is incorrectly converted.

The conversation:

The link:

The link split: http://

(Edit: Apparently Meta Help uses a different form of Preview from Mozillians.)

(Leo McArdle) #2

The problem comes when you place a link on its own line, like so, and it becomes a ‘onebox’:

If it’s on a line with other things, it’s fine:

This is a known bug upstream, but it seems there’s some reluctance to fix it for possible security implications:

(B.J. Herbison) #3

Thanks for the link.

The “security” answer is backwards. The current code sends the user somewhere unintended, which means the current code is a potential security flaw.

Encoding/handling URLs correctly isn’t a security issue.