Escape HTML Tags from Linux Notifications (electron)

[t3chguy]

https://developer.gnome.org/notification-spec/ lists HTML tags which cause special behaviour, but KDE/Plasma for instance simply removes anything that looks like a HTML Tag, https://github.com/electron/electron/blob/master/docs/tutorial/desktop-environment-integration.md#linux says that all Electron supported Linux notification systems (via libnotify) follow this markup spec. Examples of how this issue manifests below:

After fix (different message, this data would previously be in italics):

---

Tested on Windows for sanity's sake
Tested on KDE Neon (KDE/Plasma) 16.04

Needs testing on some other DMs/Distros

Sample test data:

• <i>Foo</i>
• <hello>

[t3chguy]

Tested on Mac, Windows, Linux (KDE, LXDE, GNOME, XFCE, MATE)

[ara4n]

So this ends up with raw HTML tags being displayed in the notif? I'm confused if we're trying to show markup from the HTML message (in which case, why don't we just notify the non-HTML message), or are we trying to show literal HTML markup from a text message?

[t3chguy]

@ara4n rather than raw HTML, its anything enclosed in < and > prior to this would be invisible in a notification on Linux, and <b> etc would actually make it stylized.
Inconsistent as it'd only happen in Linux and it had the potential to malform notifications to the point that they have no content.

[ara4n]

ok, so if the notif system takes the plain text message body (ie not the formatted one) and renders it as if it were HTML, don't we need to escape it fully? eg turn & into & etc? in which case we should use a proper html escaping function rather than just regexping the right angled brackets...

[t3chguy]

As far as I am aware, it doesn't render it fully as HTML, just does basic tag parsing itself.

The following tags should be supported by the notification server. Though it is optional, it is recommended. Notification servers that do not support these tags should filter them out.
<b> ... </b>	Bold
<i> ... </i>	Italic
<u> ... </u>	Underline
<a href="..."> ... </a>	Hyperlink
<img src="..." alt="..."/>	Image
A full-blown HTML implementation is not required of this spec

[ara4n]

okay, then i suggest this is commented in the fix, to stop anyone else reading the code from raising the same eyebrow :)

…

-- Matthew Hodgson Matrix.org

On 22 Apr 2017, at 13:06, Michael Telatynski ***@***.***> wrote: As far as I am aware, it doesn't render it fully as HTML, just does basic tag parsing itself. The following tags should be supported by the notification server. Though it is optional, it is recommended. Notification servers that do not support these tags should filter them out. <b> ... </b> Bold <i> ... </i> Italic <u> ... </u> Underline <a href="..."> ... </a> Hyperlink <img src="..." alt="..."/> Image A full-blown HTML implementation is not required of this spec — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[ara4n]

thanks