Project

General

Profile

Actions
Copy link

Patch #16087

closed

Markdown renderer doesn’t clean HTML properly

Added by Charmander - over 11 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Text formatting
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

The current renderer strips HTML (contrary to conventional Markdown) and still fails to catch everything:

[bad link](javascript:alert(1\))

This fixes both behaviours. scrub-classes is a patch to remove unrecognized classes that could potentially be used to annoy; I haven’t completed the list because the existing implementation already allows all classes through syntax highlighting:

~~~any-class-here
code block
~~~

Files

Download all files
redmine-markdown-loofah.diff (2.42 KB) redmine-markdown-loofah.diff the main patch Charmander -, 2014-02-13 03:43
redmine-markdown-scrub-classes.diff (1.53 KB) redmine-markdown-scrub-classes.diff Charmander -, 2014-02-13 03:45
Actions
Copy link
 #1

Updated by Charmander - over 11 years ago

This one needs a more comprehensive list of acceptable classes.

Actions
Copy link
 #2

Updated by Charmander - almost 11 years ago

ahem

Actions
Copy link
 #4

Updated by Charmander - almost 11 years ago

Yes, one is already included in that patch.

Actions
Copy link
 #5

Updated by Toshi MARUYAMA almost 11 years ago

Please add test cases in your patch.

Actions
Copy link
 #6

Updated by Charmander - almost 11 years ago

Like I said, the patch includes a test case.

Actions
Copy link
 #7

Updated by Charmander - almost 11 years ago

ahem

Actions
Copy link
 #8

Updated by Charmander - about 10 years ago

Okay, I’ve added tests to my patch.

Actions
Copy link
 #9

Updated by Go MAEDA over 6 years ago

  • Status changed from New to Closed

Current versions of Redmine don't render [bad link](javascript:alert(1\)). And code blocks don't accept unknown language name (r16501 and r16502).

Actions
Copy link

Also available in: Atom PDF