Defect #22967

markdown: special character like ' (quote) breaks wiki links

Added by Philippe Le Brouster almost 2 years ago. Updated 3 days ago.

Status:ConfirmedStart date:
Priority:NormalDue date:
Assignee:Marius BALTEANU% Done:

0%

Category:Wiki
Target version:4.1.0
Resolution: Affected version:3.2.2

Description

Affected version: 3.1.5, 3.2.2, at least
To reproduce:

Explanation:

I'm trying to upgrade redmine from 2.4.2 to 3.1.5 (or 3.2.2) and I've an issue with the wiki links.

With the version 2.4.2, using quote "'" in the wiki links was working (using the redmine_redcarpet_formatter).

For example :

[[This is a link'test]]

With the version 3.1.5 or 3.2.2 the same code break the wiki link during html formatting. The output is something like

This is a link&

I suspect there is a problem during the text escaping because the function ``parse_wiki_links`` in app/helpers/application_helper consider that there is an anchor. The supposed anchor come from the html escaped form of the quote (which is &#39).

In French language, this is a major problem because the quote character is often used.

Regards,
Philippe Le Brouster.

link.png (11 KB) Toshi MARUYAMA, 2016-06-22 16:51

wiki_edit.png - Content when editing (5.87 KB) Philippe Le Brouster, 2016-06-23 14:55

wiki_content.png - Content when viewing (8.63 KB) Philippe Le Brouster, 2016-06-23 14:55

tests_for_special_characters_breaks_wiki_links.patch Magnifier (2.31 KB) Marius BALTEANU, 2018-03-31 14:58

fix_for_22967.patch Magnifier (965 Bytes) Marius BALTEANU, 2018-03-31 15:17

fix_for_22967-v2.diff Magnifier - patch for r17346 (868 Bytes) Go MAEDA, 2018-05-22 12:53


Related issues

Duplicated by Redmine - Defect #10413: Creating wiki pages with special characters may be proble... Closed

History

#1 Updated by Toshi MARUYAMA almost 2 years ago

I cannot reproduce on vanilla Redmine 3.2.3 ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux].

#2 Updated by Toshi MARUYAMA almost 2 years ago

  • Status changed from New to Needs feedback

#3 Updated by Philippe Le Brouster almost 2 years ago

Hi,

The problem exists only with the markdown text format. The textile format is ok.

Did you test with this markdown text format ?

I've just set a vanilla redmine 3.2.3 (tarball from the website). And I can reproduce this bug.

Content when editing

Content when viewing

Regards,
Philippe Le Brouster

#4 Updated by Toshi MARUYAMA almost 2 years ago

  • Subject changed from Special character like ' (quote) breaks wiki links to markdown: special character like ' (quote) breaks wiki links
  • Status changed from Needs feedback to New

#5 Updated by Adrien Crivelli almost 2 years ago

I am also affected by this bug on Redmine 3.0.0.

I'd say it should be quite high on the priority list, because it will break things for a lot of french users, and possibly other languages too. But it will also break in English, as seen in those examples:

Markdown input:

[[Jack & Coke]]
[[a "quoted" name]]
[[le français, c'est super]]
[[broken < less]]
[[broken > more]]
[[also <broken> link]]

Actual output:

Jack &amp; Coke
a &quot;quoted&quot; name
le français, c&
broken &lt; less
broken &gt; more
also link

Expected output:

Jack & Coke
a "quoted" name
le français, c'est super
broken < less
broken > more
also broken link

#6 Updated by Marius BALTEANU about 1 month ago

I made some tests based on the first 5 examples added by Adrien Crivelli in his post. The tests fail on both Textile and Markdown formatters.

#7 Updated by Marius BALTEANU about 1 month ago

I made also a potential patch that fixes these issues. I'm saying just potential because I'm not sure if it is ok from a security point of view. From my tests it is ok, but I need a second opinion.

Regarding the case "[[also <broken> link]]", is harder to make a fix because the tag is completely removed by the markdown formatter.

#8 Updated by Marius BALTEANU about 1 month ago

  • Status changed from New to Confirmed

#9 Updated by Marius BALTEANU 11 days ago

  • Duplicated by Defect #10413: Creating wiki pages with special characters may be problematic added

#10 Updated by Marius BALTEANU 11 days ago

  • Target version set to Candidate for next minor release

I'm considering this issue quite annoying and I would like to fix it in a next version. @Go Maeda, which version do you think is more appropriate?

#11 Updated by Go MAEDA 6 days ago

Marius BALTEANU wrote:

I'm considering this issue quite annoying and I would like to fix it in a next version. @Go Maeda, which version do you think is more appropriate?

I think 4.0.0 is preferable to minor releases because it requires some manual work to backport the tests to 3.4/3.3-stable.

#12 Updated by Marius BALTEANU 6 days ago

  • Target version changed from Candidate for next minor release to 4.1.0

#13 Updated by Go MAEDA 5 days ago

  • Assignee set to Go MAEDA

#14 Updated by Go MAEDA 3 days ago

Update the patch for r17346.

#15 Updated by Go MAEDA 3 days ago

  • Assignee changed from Go MAEDA to Marius BALTEANU

The following patch also works. Marius, do you think it is OK? I prefer this code because it is simpler and CGI.unescapeHTML is already used in application_helper.rb.

Index: app/helpers/application_helper.rb
===================================================================
--- app/helpers/application_helper.rb    (revision 17346)
+++ app/helpers/application_helper.rb    (working copy)
@@ -740,6 +740,7 @@
       link_project = project
       esc, all, page, title = $1, $2, $3, $5
       if esc.nil?
+        page = CGI.unescapeHTML(page)
         if page =~ /^\#(.+)$/
           anchor = sanitize_anchor_name($1)
           url = "##{anchor}" 

Also available in: Atom PDF