Defect #13539

html entities appear in subject line (aka xml escape codes)

Added by Robert Hailey over 4 years ago. Updated over 4 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Issues
Target version:-
Resolution: Affected version:1.4.4

Description

We recently performed the security fix for our 1.4.x redmine instance that involved upgrading rails:

http://www.redmine.org/news/78

... and now whenever a subject contains a special character, updating that ticket causes the escape code to be stored as the new subject.

e.g.
Ticket is opened with subject "user's email"
Someone leaves a comment
Subject is automatically changed to "user's email"

As you can imagine, it's very annoying.

I'm sure it's related to the new (and probably safer) handling of field input, but it seems that there should be an easy fix (it's just double encoded).

If this was already addressed somewhere between 1.4.4 & 1.4.7, can someone point to the fixing commit, please?

History

#1 Updated by Robert Hailey over 4 years ago

Just upgraded to 1.4.7, and the issue is still present.

I do not have permission to update the affected version to 1.4.7

The issue seems to be that the value attribute of the input element is double-encoded.

<input id="issue_subject" name="issue[subject]" size="80" type="text" value="issue with special characters in it&amp;#x27;s subject line" />

I notice that the rails-3 gem is installed on my computer, but I doubt that redmine is using it (surly that would create bigger problems, no?); yet rails 3 does have an encoding change of some kind ( http://stackoverflow.com/questions/11934171/rails-3-replaces-with-amp-in-text-field ).

Next I will try to find a way to:
  • check what version of rails is being used by redmine at runtime, or
  • find a way to check if any other apps require rails-3 and delete it if not

#2 Updated by Robert Hailey over 4 years ago

  • Status changed from New to Resolved

Found the issue, just a regression in rails 2.3.16...

http://stackoverflow.com/questions/14594815/why-does-rails-2-3-16-escape-quote-chars-in-form-fields

Updated the gem, ran "bundle install" in redmine root, and all is well!

#3 Updated by Toshi MARUYAMA over 4 years ago

  • Status changed from Resolved to Closed

Thank you for your feedback.

Also available in: Atom PDF