From mboxrd@z Thu Jan 1 00:00:00 1970 From: john at keeping.me.uk (John Keeping) Date: Sat, 23 Jun 2018 11:53:42 +0100 Subject: [PATCH 2/2] ui-shared: emit root-desc-html and repo.desc-html after their text counterparts In-Reply-To: <526c7aac-89fb-64eb-4ceb-2fc6b4b3f7fd@warmcat.com> References: <45190b3f-ced1-2b5f-9d3e-c9da90192867@warmcat.com> <152956360719.741.17537017810992910496.stgit@mail.warmcat.com> <20180623102838.GD6584@john.keeping.me.uk> <526c7aac-89fb-64eb-4ceb-2fc6b4b3f7fd@warmcat.com> Message-ID: <20180623105342.GF6584@john.keeping.me.uk> On Sat, Jun 23, 2018 at 06:33:38PM +0800, Andy Green wrote: > > > On 06/23/2018 06:28 PM, John Keeping wrote: > > On Thu, Jun 21, 2018 at 02:46:47PM +0800, Andy Green wrote: > >> Where root-desc and repo.desc are used in the header region, also > >> emit their html counterparts afterwards if they are defined. > >> > >> Where root-desc are repo.desc are used outside the header, > >> eg in the repo list, leave it as it is without adding any > >> related html. > >> > >> Signed-off-by: Andy Green > >> --- > > > > I think this should be squashed with the previous patch since it makes > > it easier to see what's going on. > > > > When I read your initial email on this, I thought we could introduce a > > new HTML version of the description and use that *instead of* the plain > > text one if the HTML variant is available. > > I actually first implemented just rendering what we have as raw html... I don't think we can do that without introducing an HTML injection risk in configurations that are currently safe. > > Having looked at the current implementation of repo->desc, I think > > that's desirable because the reason we don't have a null-check for that > > in the context below is that it will be set to "[no description]" if no > > other value is provided. If a user has set repo->desc_html, I don't > > think we want to print "[no description]" before showing the HTML > > description! > > I take the point, but it turned out there are two separate kinds of > description here... the text-only, existing one that is used, eg, in the > list of repos. And a "functional" HTML part that has buttons or > whatever specific to the repo and used on the header part. > > With just treating them as one, the repo list gained meaningless HTML > buttons or pictures or whatever decoration was put there. The repo list > just wants a short textual description that already exists. So it > arrived at this, leave that be, and add an optional HTML decoration part. OK, that makes sense. Maybe we need the following check, but it is quite ugly! if (ctx.repo->desc && (ctx.repo->desc != cgit_default_repo_desc || !ctx.repo->html_desc)) that is, show the plain text description only if it has been customised or if there is no HTML description.