Feature #2416

{background:color} doesn't work in text formatting

Added by Chaoqun Zou over 8 years ago. Updated about 3 years ago.

Status:ClosedStart date:2008-12-30
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Text formatting
Target version:1.4.0
Resolution:Fixed

Description

table{border:1px bordercolor:darkblue}.
|_.1|_.2|_.3|_.4|
|a|b|{background:#ddd}.c|d|
|e|f|g|{background:#ddd}. Grey cell|

should looks like the table below, but in the current devel version(r2202 tested), the background color cann't be displayed.

1 2 3 4
a b c d
e f g Grey cell

Related issues

Related to Redmine - Defect #949: Style not applied to wiki image Closed 2008-03-28
Duplicated by Redmine - Defect #5141: textile style tags do not work Closed 2010-03-21
Duplicated by Redmine - Defect #10324: How can I set Wiki text's color Closed
Duplicated by Redmine - Feature #10325: Text formatting: textile not working for i.e. styles Closed

Associated revisions

Revision 8860
Added by Jean-Philippe Lang about 5 years ago

Allows custom styles in textile formatting using a white list of styles (#2416).

History

#1 Updated by Jean-Philippe Lang over 8 years ago

  • Status changed from New to Resolved
  • Resolution set to Wont fix

Textile inline styles were disabled in r2192 for security reasons.

If you really need this feature and don't fear XSS attacks, then have a look at:
source:/trunk/lib/redmine/wiki_formatting/textile/formatter.rb@2192#L33

#2 Updated by Chaoqun Zou over 8 years ago

I'm not familiar with XSS. And does the code below still looks like a vulnerability?

[...]

#3 Updated by Jean-Philippe Lang over 8 years ago

Yes. It looks like. Example stripped and fix committed in r2212.

#4 Updated by Jean-Philippe Lang over 8 years ago

  • Status changed from Resolved to Closed

#5 Updated by Chaoqun Zou over 8 years ago

I have found a textile reference that says:

Developers can easily include Textile in any web application that accepts user input for display on web pages. Textile supports UTF-8 input, and produces valid XHTML. A “Restricted” mode is available for processing input from untrusted users, where invalid input and XSS attacks are a risk.

Maybe you would like to have a look at: http://thresholdstate.com/articles/4312/the-textile-reference-manual

#6 Updated by Jean-Philippe Lang about 5 years ago

  • Tracker changed from Defect to Feature
  • Subject changed from {background:color} doesn't work in the textile field of wiki or issue page to {background:color} doesn't work in text formatting
  • Category changed from Wiki to Text formatting
  • Assignee set to Jean-Philippe Lang
  • Target version set to 1.4.0
  • Resolution changed from Wont fix to Fixed

The following white list of styles is now allowed in text formatting (r8860): color, width, height, border, background, padding, margin, font, text and their variations (eg. border-left, ...). Malformed styles are filetered as well.

table{background:#afa}.
|_.1|_.2|
|{background:red; color:white}. Red cell|d|
|g|{background:#ddd}. Grey cell|

Displays:

1 2
Red cell d
g Grey cell

#7 Updated by Keats . almost 5 years ago

the FAQ points there but it's not working for me.

steps
  • create a wiki
  • paste the table example

table{background:#afa}. |_.1|_.2| |{background:red; color:white}. Red cell|d| |g|{background:#ddd}. Grey cell

is seen on the the wiki

#8 Updated by Ivan Samygin about 3 years ago

I noticed that there must be an empty line before your table markup to get it work.

Also available in: Atom PDF