Project

General

Profile

Actions
Copy link

Defect #6969

open

Less-than sign in issue description and comments are not escaped

Added by Magnus Henoch over 14 years ago. Updated over 4 years ago.

Status:
Reopened
Priority:
Normal
Assignee:
Jean-Philippe Lang
Category:
Text formatting
Target version:
Candidate for next major release
Start date:
2010-11-24
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:
1.0.3

Description

When an issue description or comment contains a less-than sign (<), this sign is output verbatim in the issue page, instead of being escaped with ampersand-"lt"-semicolon. This causes the issue details page to be invalid XHTML, which is contrary to the page's doctype, and makes it impossible to read the page with an XML parser. I created an issue on the demo site to demonstrate the problem.

To reproduce, run xmllint URL-OF-ISSUE-PAGE, like this:

$ xmllint http://demo.redmine.org/issues/38181
http://demo.redmine.org/issues/38181:166: parser error : StartTag: invalid element name
<p>Hm: <</p>
        ^
http://demo.redmine.org/issues/38181:241: parser error : StartTag: invalid element name
mg alt="Comment" src="/images/comment.png?1286930539" /></a></div><p>And this? <
                                                                               ^
http://demo.redmine.org/issues/38181:330: parser error : Entity 'copy' not defined
    Powered by <a href="http://www.redmine.org/">Redmine</a> &copy; 2006-2010 Je
                                                                   ^

The third error is a false positive (xmllint doesn't know XHTML entities), but the first two errors are symptoms of this problem.

Files

issue6969_test_escaping.diff (576 Bytes) issue6969_test_escaping.diff Go MAEDA, 2015-10-01 10:26

Related issues

Related to Redmine - Defect #21202: Left aligned sign in tabular is not worked since applying #6969Closed

Actions
Actions
Copy link
 #1

Updated by Go MAEDA over 9 years ago

Thank you for reporting this issue.

Textile formatter in the latest trunk (r14634) is still affected.
Here is a test to catch this issue: issue6969_test_escaping.diff

Actions
Copy link
 #2

Updated by Toshi MARUYAMA over 9 years ago

  • Target version set to 2.6.8
Actions
Copy link
 #3

Updated by Jean-Philippe Lang over 9 years ago

  • Category changed from Security to Text formatting
  • Status changed from Confirmed to Resolved
  • Assignee set to Jean-Philippe Lang
  • Private changed from Yes to No
  • Resolution set to Fixed

Fixed in r14812.

Actions
Copy link
 #4

Updated by Jean-Philippe Lang over 9 years ago

  • Status changed from Resolved to Closed
Actions
Copy link
 #5

Updated by Jean-Philippe Lang over 9 years ago

  • Related to Defect #21202: Left aligned sign in tabular is not worked since applying #6969 added
Actions
Copy link
 #6

Updated by Jean-Philippe Lang over 9 years ago

  • Status changed from Closed to Reopened
  • Target version changed from 2.6.8 to Candidate for next major release

Fix reverted, see #21202.

Actions
Copy link

Also available in: Atom PDF