[Scoop-help] HTML in story titles

Sat Aug 19 12:18:37 PDT 2006

When the html validation code was put in place we didn't see a
compelling reason to allow HTML in titles. Every case of HTML it titles
that we could think of tended to look horrible so we decided to save
some time and not allow HTML at all in titles, relying instead on CSS
styling for title text. Presumably we could add 'subject' as a context
for use in allowed_html so you could allow arbitrary tags but I can only
think of a few tags you'd want to allow anyway beyond bold, italic,
underline strong sub super and MAYBE font. In short, I can't see a
compelling reason not to add the html context 'subject' but I'm not
convinced that it would be really useful for a lot of sites either. If
there are enough 'we want this' responses then I'll do it the moment I
get some free time.

-- Colin

-- 
Scoophost.com - a service of Pinnacle Digital
Scoop consulting and hosting services

scoop-help-request at lists.kuro5hin.org wrote:

> Message: 1
> Date: Fri, 18 Aug 2006 12:27:12 -0700
> From: "Chris Schults" <cschults at grist.org>
> Subject: RE: [Scoop-help] HTML in story titles
> To: <scoop-help at lists.kuro5hin.org>
> Message-ID: <auto-000025770652 at npomail.electricembers.net>
> Content-Type: text/plain;	charset="US-ASCII"
> 
>> I'm assuming you mean that editors can add the HTML after story  
>> submission, and not just anybody.
> 
> Correct.
> 
>> It's possible that editors can bypass the normal filters when editing  
>> a story that already exists. If so, that sounds like a bug, because  
>> fields should be filtered appropriately every time they're changed,  
>> even if an editor is making the change.
> 
> Yes, it is definitely possible. For example, see:
> http://gristmill.grist.org/story/2006/8/18/12035/1766
> 
>> I don't think there would be any security issues with allowing html  
>> in the title, at least none beyond allowing html anywhere. Titles  
>> tend to be short and formatted in a specific way on the page,  
>> however, and are also used in the browser's title bar (which doesn't  
>> allow html formatting).
> 
> So, why is the HTML being stripped out then? I assume there is a reason. If
> not, my editors and contributors would love it if I remove this restriction.
> 
> One side effect, of course, is that the HTML might be preserved in other
> places where the title is used. Case in point, same example:
> http://gristmill.grist.org/story/2006/8/18/12035/1766. Note the browser's
> page title. Thus, you might need to recode blocks, boxes, ops and perhaps
> the codebase as necessary.
> 
> Chris