Finding ‘Lost’ Content in a Basecamp Post or Comment

Basecamp is increasingly being used by a lot of people and many, many people use it for managing web-based projects as well. Unfortunately, Basecamp does not escape “<” or “>” and anything that looks like a HTML tag gets interpreted by the browser as one.

I consider this a fatal flaw in the software since it leads to loss of data (at least in a visual sense) and might end up causing very weird formatting problems of a thread being viewed, at times distorting the information beyond comprehension.

For example, if somebody were to write “Could you put this in a <h1> tag. More text.” it would show as “Could you put this in a

tag. More text.

“. What a mess, huh? And this is a very benign example. I’ve seen people posting HTML code of forms in posts and comments!

Most people I have seen get confused. They don’t realise immediately that there is a <h1> tag there which is messing things up. They only see “Could you put this in a tag.” and go: Which tag? Why is “tag” in big and bold? And so forth… And yes, sometimes, even experienced ‘web people’ are surprised by this initially because of this unexpected behaviour. That’s bad user experience.

So whenever you see weird formatting next to text that doesn’t seem to make sense, remember: There is probably a HTML tag in there causing the problem.

The solution: Look at the HTML source. The content is right there, dutifully regurgitated by Basecamp, unfortunately un-escaped, and thus rendered by browser.

Tip: There are browser plugins that allow you to make a selection and view the source of only that part of the page. Using them will make it extremely easy for you to home in on the content you’re interested in.

Another thing to remember is that Basecamp also uses Textile for text formatting. So there could be additional HTML formatting inserted in the comment which might not belong there. It’s usually easy to figure that out though. If that doesn’t work, you can always ask the person who made the post to clarify and try to be careful next time.

  • Both comments and trackbacks are currenlty open for this entry.
  • Trackback URI:
  • Comments RSS 2.0

2 Responses to “Finding ‘Lost’ Content in a Basecamp Post or Comment”

  1. Colin Says:

    Creepy. There must be dozens of XSS flaws waiting to be exploited there…

  2. Abhay S Says:

    Very likely. However, they have a weird style of thinking about some things. They would probably say something on the lines of, “Well, you only get to access projects you have access to and of companies/clients you’re dealing with directly. Why would anybody you trust do this to you?”

Leave a Reply