Recently, I discovered an issue where all ampersands in titles were being converted into "&"
Since we then do the same conversion in the Atom feed, this of course caused havoc. I created a patch (http://trac.habariproject.org/habari/ticket/1044), but I think this speaks to a larger issue. Right now, we automatically mistrust all form data. We over-think everything, escaping every possible ampersand, even when it's clearly not malicious. Why do we mistrust our users so much? Tokenizer is buggy as hell, and we shouldn't have to turn it off every time we want content to work. The job of the software is not to be the user's mother. We aren't responsible for making sure their markup is perfect and their ampersands are properly escaped. We certainly shouldn't tamper with their content. A script, especially one barely 500 lines long, is not smarter than a human. We would do well to remember that. --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/habari-dev -~----------~----~----~----~------~----~------~--~---
