Project

General

Profile

Redmine wiki sql query

Added by Дмитрий Бабанов about 11 years ago

Hello. Please, help me.
I use:
Redmine version 2.1.4
Ruby version 1.9.3
Rails version 3.2.8
Database MySQL

I want to use redmine plugin "Redmine wiki sql".
Description: http://www.redmine.org/plugins/redmine_wiki_sql

Plugins migrate succesful, SQL query succeeds.
But when i save Wiki-page, it show:

<table><tr><th>id</th></tr><tr><td>1</td></tr><tr><td>2</td></tr></table>

But, HTML-code page:
<p>&lt;table&gt;&lt;tr&gt;&lt;td&gt;asd&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;table&gt;&lt;tr&gt;&lt;th&gt;id&lt;/th&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;2&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;</p>

So, SQL query succeeds, but "<" change to "&lt_;", and ">" to "&gt_;". ( _ - for clarity)
How can i change wiki to display a table??

P.S. sorry for my English.


Replies (3)

RE: Redmine wiki sql query - Added by Jan Niggemann (redmine.org team member) about 11 years ago

The plugin page reads

Compatible with: Redmine 1.2.x

and the github repository has only 2 initial commits and a single fork.
You should contact the author of the plugin and check if it's compatible with 2.x...

&lt;
is another representation (HTML character encoding) of <, something encodes your characters into HTML entities.

Another thing worth mentioning is the huge security problem you open up by allowing the user arbitrary SQL queries...

RE: Redmine wiki sql query - Added by Ivan Cenov about 11 years ago

change line 43 from

            return _table
to
            return _table.html_safe
However, I agree with Jan Niggemann that this is a big security hole.

    (1-3/3)