Project

General

Profile

Actions

Defect #13539

closed

html entities appear in subject line (aka xml escape codes)

Added by Robert Hailey about 11 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Issues
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

We recently performed the security fix for our 1.4.x redmine instance that involved upgrading rails:

http://www.redmine.org/news/78

... and now whenever a subject contains a special character, updating that ticket causes the escape code to be stored as the new subject.

e.g.
Ticket is opened with subject "user's email"
Someone leaves a comment
Subject is automatically changed to "user's email"

As you can imagine, it's very annoying.

I'm sure it's related to the new (and probably safer) handling of field input, but it seems that there should be an easy fix (it's just double encoded).

If this was already addressed somewhere between 1.4.4 & 1.4.7, can someone point to the fixing commit, please?

Actions #1

Updated by Robert Hailey almost 11 years ago

Just upgraded to 1.4.7, and the issue is still present.

I do not have permission to update the affected version to 1.4.7

The issue seems to be that the value attribute of the input element is double-encoded.

<input id="issue_subject" name="issue[subject]" size="80" type="text" value="issue with special characters in it&amp;#x27;s subject line" />

I notice that the rails-3 gem is installed on my computer, but I doubt that redmine is using it (surly that would create bigger problems, no?); yet rails 3 does have an encoding change of some kind ( http://stackoverflow.com/questions/11934171/rails-3-replaces-with-amp-in-text-field ).

Next I will try to find a way to:
  • check what version of rails is being used by redmine at runtime, or
  • find a way to check if any other apps require rails-3 and delete it if not
Actions #2

Updated by Robert Hailey almost 11 years ago

  • Status changed from New to Resolved

Found the issue, just a regression in rails 2.3.16...

http://stackoverflow.com/questions/14594815/why-does-rails-2-3-16-escape-quote-chars-in-form-fields

Updated the gem, ran "bundle install" in redmine root, and all is well!

Actions #3

Updated by Toshi MARUYAMA almost 11 years ago

  • Status changed from Resolved to Closed

Thank you for your feedback.

Actions

Also available in: Atom PDF