Skip to content
This repository has been archived by the owner on Apr 21, 2021. It is now read-only.

If the HTML title contains character entities, the title bar / tab does not render correctly #185

Closed
holatuwol opened this issue Jan 5, 2017 · 5 comments
Closed

If the HTML title contains character entities, the title bar / tab does not render correctly #185

holatuwol opened this issue Jan 5, 2017 · 5 comments

Comments

@holatuwol
Copy link
Member

holatuwol commented Jan 5, 2017
edited
Loading

Expected behaviour

<title>left &amp; right</title> will render as "left & right" in the title bar, no matter how the page is loaded.

Actual behaviour

<title>left &amp; right</title> will render as "left & right" in the title bar, only if the page is loaded directly. It will render as "left &amp; right" if the page is loaded through Senna.js
@holatuwol holatuwol mentioned this issue Jan 5, 2017
Closed
@eduardolundgren
Copy link
Contributor

This is the native behavior when entities are passed to document.title = '&amp;, more specifically, it happens here. The correct fix is to unescape entities before setting the title in order to behave as when it's unescaped natively by the dom node. The unescape entities implementation is not so trivial since it needs to protects against XSS attacks.

@fernandosouza Could you add to Metal.js an unescapeEntities implementation? Then we can update the code here to use it.

@fernandosouza
Copy link
Contributor

Sure, @eduardolundgren.

@holatuwol
Copy link
Member Author

@eduardolundgren

The specification for the title element says, "Titles may contain character entities (for accented characters, special characters, etc.), but may not contain other markup (including comments)." Is there a reason to retain all of the innerHTML of the title and then introduce the complexity of escaping the character entities?

Additionally, the specification for a title setter says that it should behave as though you set the textContent, so shouldn't the virtual document work the same way?

@eduardolundgren
Copy link
Contributor

@holatuwol You're right, it's unnecessary complexity to unescape entities for that when we can use the title setter to do the job for us After some experiments here, I came to the following conclusion:

  1. The correct behavior for when the title is extracted from the HTML parsing is setting through document.getElementsByTagName('title')[0].innerHTML = ' foo &amp; bar <script>alert("hi")</script> '; instead of textContent.
  2. Script nodes are not parsed on Chrome, Firefox, Safari (didn't test on IE yet).

@fernandosouza We can prob go with the simpler fix of setting the title in the following way:

var titleElement = document.getElementsByTagName('title')[0];
if (titleElement) {
  titleElement.innerHTML = title;
} else {
  document.title = title;
}

wdyt?

fernandosouza pushed a commit to fernandosouza/senna.js that referenced this issue Jan 6, 2017
Uses title HTML tag whenever is possible to update the page title. Cl…
a65aeaf 
…oses liferay#185
fernandosouza pushed a commit to fernandosouza/senna.js that referenced this issue Jan 6, 2017
Uses title HTML tag whenever is possible to update the page title. Cl…
94247e7 
…oses liferay#185
fernandosouza pushed a commit to fernandosouza/senna.js that referenced this issue Jan 6, 2017
Uses title HTML tag whenever is possible to update the page title. Cl…
eb89819 
…oses liferay#185
@eduardolundgren
Copy link
Contributor

Fixed on https://github.com/liferay/senna.js/releases/tag/v2.1.3

@jbalsas jbalsas mentioned this issue Jan 9, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eduardolundgren @holatuwol @fernandosouza