Defect #8701
closed
HTML Entities are not escaped
Added by Johannes Barre almost 14 years ago.
Updated over 13 years ago.
Description
If you enter & or " in a text field in redmine, it will display just & or " in preview or if you save the entry (I double escaped the entities here to get them displayed here). Since it is a text input, I would expect redmine to display everything as entered. We had just an issue about entities and it was hard to understand because of this bug.
- Category set to Text formatting
This is not technically a defect but the intended behavior of the RedCloth library. I'm investigating what the options are to make this a configurable option as a patch to RedCloth as I don't think this is what the vast majority of users would expect to happen. However, if you'd like to directly patch RedCloth as a complete hack, the following patch to lib/redcloth3.rb will work (though it's obviously pretty messy):
diff --git a/lib/redcloth3.rb b/lib/redcloth3.rb
index f4c6244..3948931 100644
--- a/lib/redcloth3.rb
+++ b/lib/redcloth3.rb
@ -308,6 +308,7 @ class RedCloth3 < String
retrieve text
+ text.gsub!(/&(amp|euro|quot|gt|lt|nbsp|iexcl|cent|pound|curren|yen|brvbar|sect|uml|copy|ordf|not|shy|reg|macr|deg|plusmn|sup2|sup3|acute|micro|para|middot|cedil|sup1|ordm|raquo|frac14|frac12|frac34|iquest|Agrave|Aacute|Acirc|Atilde|Auml|Aring|AElig|Ccedil|Egrave|Eacute|Ecirc|Euml|Igrave|Iacute|Icirc|Iuml|ETH|Ntilde|Ograve|Oacute|Ocirc|Otilde|Ouml|times|Oslash|Ugrave|Uacute|Ucirc|Uuml|Yacute|THORN|szlig|agrave|aacute|acirc|atilde|auml|aring|aelig|ccedil|egrave|eacute|ecirc|euml|igrave|iacute|icirc|iuml|eth|ntilde|ograve|oacute|ocirc|otilde|ouml|divide|oslash|ugrave|uacute|ucirc|uuml|yacute|thorn);/, '&\1;')
text.gsub!( /<\/?notextile>/, '' )
text.gsub!( /&/, '&' )
clean_html text if filter_html
- Status changed from New to Closed
- Resolution set to Wont fix
Also available in: Atom
PDF
Updated by 
Updated by