There was some scare in lemmy development circles recently about script injection vulnerabilities. The various apps and frontend developers “solved” the problem by peppering untrusted user input with escape sequences all over the place. User submits post? Escape title! Receive new post from a federated instance? Escape title!

Obviously if you escape the title twice and display once, it will show up weird. The problem is that the various devs haven’t agreed yet which parts of the messaging protocol are supposed to be already escaped and which are not. Ideally all user input should be stored and transmitted in raw form, and only escaped right before displaying. But due to various zealously-cautious devs we get this instead:

For me(using sync), it shows a different font for each &

They show as & on the mobile web interface for various instances. I would say it’s something improperly done with what are called HTML entities. HTML entities are a way of encoding various elements that have meaning in HTML so they can be displayed, without being interpreted as HTML by the browser, which could not only break a layout but have security implications. So the titles are sanitized to prevent injection attacks but somehow are not stored/output in a way that they display properly.

Looks fine to me. It works.

Using Voyager on Android

I believe it’s been fixed for the next version of Lemmy. But for now, small ampersand (U+FE60) works as a substitute: ﹠

On Eternity we have the opposite (work in title but not body), but when I click into the post it looks fine.

They’re also broken in code blocks