Fix author links in the proposals lists

[zecakeh]

Links were broken since the upgrade of the hugo version in #1984.

The broken state can be viewed at the preview from that PR. It cannot be viewed at https://spec.matrix.org/proposals yet because it hasn't been updated since the upgrade (although it is broken on a different way because of the upgrade too). Now visible at https://spec.matrix.org/proposals/#work-in-progress

Pull Request Checklist

• Pull request includes a changelog file
• Pull request includes a sign off
• Pull request is classified as 'other changes'

Preview: https://pr1997--matrix-spec-previews.netlify.app

[richvdh]

I don't really understand this. Isn't the new value immediately overrwritten?

[zecakeh]

Oops, it's using the wrong variable here. The htmlEscape is a only precaution anyway in case there is a special HTML character in the username of an author, but I'm not even sure GitHub would allow that.

[zecakeh]

I remember now why I did that, even if GitHub doesn't allow special characters in the username, it's because the data from the MSC description is not validated.

[zecakeh]

Ad now I realized that for the URL, we should not use htmlEscape but rather a function that converts to a URL-compatible format. Hugo has urlize but it also transforms the string instead of just converting special characters.

Maybe we should consider sanitizing to be the job of the script that fetches the proposals?

[zecakeh]

I removed the call to htmlEscape, maybe it can be done separately, to see if we want to sanitize the input of the proposals.

[richvdh]

Could you explain how #1984 broke this?

[zecakeh]

Could you explain how #1984 broke this?

I am not sure but there was a Hugo update, so I guess a fix on their part requires the use of safeHTML now, which makes sense in a place where HTML is expected and Hugo cannot be sure that the content is really HTML given that it's constructed from a string.

[richvdh]

thanks!