Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exported game with title containing single quote gets replaced with exclamation mark #138

Open
hawkerm opened this issue Nov 30, 2024 · 3 comments
Open

Exported game with title containing single quote gets replaced with exclamation mark #138

hawkerm opened this issue Nov 30, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@hawkerm
Copy link

hawkerm commented Nov 30, 2024

Describe the bug
If you export a game with a single quote in the title, then it gets changed to an exclamation point in the exported page title, header, and metadata.

Reproduction Steps

  1. Start new project
  2. Put "Can't be" as the title of the project
title Can't be
  1. Export
  2. Open exported file
<meta name="description" content="Can!t be">
<title>Can!t be</title>
...
<div class="title"><h1 id="gametitle">Can!t be</h1></div>

What did you expect would happen?
Title text to be preserved:

<meta name="description" content="Can't be">
<title>Can't be</title>
...
<div class="title"><h1 id="gametitle">Can't be</h1></div>

OS & Browser version, desktop/mobile
Windows 10 Edge Desktop

Screenshots, example projects, other relevant issues, etc.

image
@hawkerm hawkerm added the bug Something isn't working label Nov 30, 2024
@david-pfx
Copy link
Owner

Not really a bug. You should be getting a message "Unsafe characters found in script will be replaced by !".

Maybe this isn't the best way to deal with them, but figuring out what else could be done is more than a quick fix.

@hawkerm
Copy link
Author

hawkerm commented Dec 5, 2024

Not really a bug. You should be getting a message "Unsafe characters found in script will be replaced by !".

Oh, I totally didn't see that in the blue on blue and as a 'header' style at the top:

image

It's also not actionable as it doesn't tell me the line or the offending character or any info. It should show up like the other message does about 'V' with a link to the line and in a brighter color.

I'd also suggest with both of these 'warnings' the message about "successful compilation" is a bit misleading, maybe it should be "Compilation completed with X warnings" (2 in this case). Only call it "Success" if there are no warnings, and use "Failed" if there are any errors?

Maybe this isn't the best way to deal with them, but figuring out what else could be done is more than a quick fix.

Shouldn't these just get escaped with &apos; and &quot; and such during export? It doesn't seem unreasonable that folks would want these characters in titles for games. E.g.

  • Sally's Sunny Day
  • Bob and his "Breakfast"
  • George's Pet Monster

As far as I can tell, this appears here and is only checked/used solely in local script export (not cloud share) here:

PuzzleScriptNext/src/js/buildStandalone.js

Lines 23 to 32 in 544fe7c

function safeUser(value) {
const regex = /[<>&"'\v]/g;
var nv = value;
if (nv.match(regex)) {
consolePrint(`Unsafe characters found in script will be replaced by !`);
nv = nv.replace(regex, '!');
}
// remove $ for now, they go back later
return safeDollar(nv);
}

And only for these three fields:

PuzzleScriptNext/src/js/buildStandalone.js

Lines 61 to 63 in 544fe7c

htmlString = htmlString.replace(/__GAMETITLE__/g, safeUser(title));
htmlString = htmlString.replace(/__HOMEPAGE__/g, safeUser(homepage));
htmlString = htmlString.replace(/__HOMEPAGE_STRIPPED_PROTOCOL__/g, safeUser(homepage_stripped));

If the exported script is an html file the own developer of the script is downloading for themselves, why is the input even bothering to be sanitized? Especially, when no other values are?

There's not really incentive for them to enter an invalid url to their own homepage, and even if they wanted to be malicious, they can just modify the HTML file they get as a result anyway as it's just the local exported version being checked here.

I suppose they could try and put a tag in their title and that'd lead to some other issue, but I still feel like the proper solution, if this is required, is to replace character in the string for each of the characters you're worried about with their corresponding HTML entity code:

Character HTML Escape Code
< &lt;
> &gt;
& &amp;
' &apos;
" &quot;
\v ??

Not sure where the vertical tab would come from, would it just be blanked or should it be replaced with a horizontal one &Tab;?

@david-pfx
Copy link
Owner

This program used to crash, and my aim was to stop that happening. As I read it now I see several potential problems, including the ones you've run into.

No, I don't think it's possible to do the usual error message with a line number. That relies on the parser.

It's not high on my priority list, but feel free to fix the other problems, and I'll merge it and try it out. You'll need a test program too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hawkerm @david-pfx