Less-than sign in issue description and comments are not escaped
|Assignee:||Jean-Philippe Lang||% Done:|
|Target version:||Candidate for next major release|
When an issue description or comment contains a less-than sign (
<), this sign is output verbatim in the issue page, instead of being escaped with ampersand-"lt"-semicolon. This causes the issue details page to be invalid XHTML, which is contrary to the page's doctype, and makes it impossible to read the page with an XML parser. I created an issue on the demo site to demonstrate the problem.
To reproduce, run
xmllint URL-OF-ISSUE-PAGE, like this:
$ xmllint http://demo.redmine.org/issues/38181 http://demo.redmine.org/issues/38181:166: parser error : StartTag: invalid element name <p>Hm: <</p> ^ http://demo.redmine.org/issues/38181:241: parser error : StartTag: invalid element name mg alt="Comment" src="/images/comment.png?1286930539" /></a></div><p>And this? < ^ http://demo.redmine.org/issues/38181:330: parser error : Entity 'copy' not defined Powered by <a href="http://www.redmine.org/">Redmine</a> © 2006-2010 Je ^
The third error is a false positive (xmllint doesn't know XHTML entities), but the first two errors are symptoms of this problem.
#1 Updated by Go MAEDA over 2 years ago
- File issue6969_test_escaping.diff added
- Category changed from Issues to Security
- Status changed from New to Confirmed
- Private changed from No to Yes