Redmine wiki sql query

Added by Дмитрий Бабанов over 6 years ago

Hello. Please, help me.
I use:
Redmine version 2.1.4
Ruby version 1.9.3
Rails version 3.2.8
Database MySQL

I want to use redmine plugin "Redmine wiki sql".

Plugins migrate succesful, SQL query succeeds.
But when i save Wiki-page, it show:


But, HTML-code page:

So, SQL query succeeds, but "<" change to "&lt_;", and ">" to "&gt_;". ( _ - for clarity)
How can i change wiki to display a table??

P.S. sorry for my English.

Replies (3)

RE: Redmine wiki sql query - Added by Jan Niggemann ( team member) over 6 years ago

The plugin page reads

Compatible with: Redmine 1.2.x

and the github repository has only 2 initial commits and a single fork.
You should contact the author of the plugin and check if it's compatible with 2.x...

is another representation (HTML character encoding) of <, something encodes your characters into HTML entities.

Another thing worth mentioning is the huge security problem you open up by allowing the user arbitrary SQL queries...

RE: Redmine wiki sql query - Added by Ivan Cenov over 6 years ago

change line 43 from

            return _table
            return _table.html_safe
However, I agree with Jan Niggemann that this is a big security hole.