Defect #807

HTML not escaped in ticket descriptions

Added by David Förster almost 10 years ago. Updated almost 10 years ago.

Status:ClosedStart date:2008-03-07
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:UI
Target version:-
Resolution:Fixed Affected version:

Description

HTML Tags are not escaped in ticket comments.


Related issues

Related to Redmine - Feature #20497: Markdown formatting supporting HTML New

Associated revisions

Revision 1216
Added by Jean-Philippe Lang almost 10 years ago

Textile formatting:
  • escape html tags, except pre tags (#807, #795)
  • try to avoid unwanted quick phrase modifiers

History

#1 Updated by Rocco Stanzione almost 10 years ago

I think this is a have-your-cake-and-eat-it-too scenario. Issue descriptions are textilized so they can be formatted, and part of that is accepting HTML as-is. You should probably put any HTML in the descriptions (that you don't want interpreted by browsers) into a

 tag.

#2 Updated by Jean-Philippe Lang almost 10 years ago

Actually, HTML is escaped here on redmine.org (eg. <h1>Redmine</h1>) except pre tags used for preformatted text.
I'll commit this change.

#3 Updated by Jean-Philippe Lang almost 10 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Fixed in r1216 (only pre tags are not escaped).

#4 Updated by Go MAEDA over 2 years ago

  • Related to Feature #20497: Markdown formatting supporting HTML added

Also available in: Atom PDF