Issue: html is parsed into summary

Unfortunately this is the unfortunate side effect of fixing things after content was generated relying on buggy behavior. Most of this is in relation to the mitigation required to fully fix the VWE-2020-5454 escalation (January 2020) and VWE-2020-5727 injections (April 2020).

First, there is no currently supported version where VaultWiki uses the start of the article as a summary. You have said this in multiple places, but it is not the case and it is misleading to other users.

Some history: back when it did, the original fix for VWE-2020-5454 limited the ability to show parsed content intended for another specific user, by not parsing content (showing it as raw). The intent was to stop automatic summaries completely at that point but it did not make it into the patch for one reason or another (likely due to not having an alternate solution). After the patch, it still was possible to display restricted content generally due to not being able to parse it out anymore. When 4.1.x was released, automatically using article content to fill an empty summary was completely removed; there was now the ability to manually define summaries; this also fixed the regression from VaultWiki 3.x, which also had manual summaries.

This means that many of your existing summaries are all there because they were existing content. Your existing content for certain articles happens to correspond with the beginning of those articles, due to prior behavior. We do not remove existing content, even if it was once possible to save content containing vulnerabilities. Ultimately it is your responsibility to determine if any particular entry warrants removal.

Back when summaries were made from the start of articles, it was necessary to ensure that injections were not possible by inadventently including raw HTML tags in the summary. Prior to VWE-2020-5454, this was done by the act of parsing the start of the article, resulting in the summary content being saved with raw characters encoded. Once parsing was no longer done, VWE-2020-5727 had to be introduced, because on newer summaries, those raw tags could now make it into the output. Since there was no way really to tell the difference, summaries had to be encoded on display across the board. For pre-5454 summaries, this means they got unfortunately double-encoded (once whenever they were saved, and now when they are displayed).

Once VaultWiki 4.1.x allowed users to set it manually, this further increased the need to encode raw tags on display, to avoid injections. So 5727 is important.

----

TLDR; What you are basically asking is that we roll back the mitigation against one vulnerability (5727) because content that was generated by relying on an even earlier vulnerability (5454) does not render in a user-friendly way. We will not do this. If mitigation has caused some display issues, you should update the affected content. As far as I'm aware, there are no double-encoding issues regarding changes to summaries.

I will update all summaries manually anyway. I reported it in case it was still an issue affecting supported versions of VW. But as this is not the case its not an issue. Thank you for explaining.