html entities appear in subject line (aka xml escape codes)
We recently performed the security fix for our 1.4.x redmine instance that involved upgrading rails:
... and now whenever a subject contains a special character, updating that ticket causes the escape code to be stored as the new subject.
Ticket is opened with subject "user's email"
Someone leaves a comment
Subject is automatically changed to "user's email"
As you can imagine, it's very annoying.
I'm sure it's related to the new (and probably safer) handling of field input, but it seems that there should be an easy fix (it's just double encoded).
If this was already addressed somewhere between 1.4.4 & 1.4.7, can someone point to the fixing commit, please?
#1 Updated by Robert Hailey about 8 years ago
Just upgraded to 1.4.7, and the issue is still present.
I do not have permission to update the affected version to 1.4.7
The issue seems to be that the value attribute of the input element is double-encoded.
<input id="issue_subject" name="issue[subject]" size="80" type="text" value="issue with special characters in it&#x27;s subject line" />
I notice that the rails-3 gem is installed on my computer, but I doubt that redmine is using it (surly that would create bigger problems, no?); yet rails 3 does have an encoding change of some kind ( http://stackoverflow.com/questions/11934171/rails-3-replaces-with-amp-in-text-field ).Next I will try to find a way to:
- check what version of rails is being used by redmine at runtime, or
- find a way to check if any other apps require rails-3 and delete it if not
#2 Updated by Robert Hailey about 8 years ago
- Status changed from New to Resolved
Found the issue, just a regression in rails 2.3.16...
Updated the gem, ran "bundle install" in redmine root, and all is well!