Defect #43890
Updated by Holger Just 22 days ago
<pre> h2. Environment * *Redmine version:* 6.1.0 * *Previously working on:* Redmine 5.x (same database, same content) * *Text formatting:* CommonMark Markdown (GitHub Flavored) — used on both versions * *commonmarker gem:* 2.x (Redmine 6.x) — previously 0.23.x (Redmine 5.x) h2. Description After upgrading from Redmine 5.x to 6.1, wiki links to pages whose titles contain underscores produce broken URLs. The underscore characters (@_@) inside @[[ ]]@ wiki link syntax are being interpreted as CommonMark emphasis delimiters by the new commonmarker 2.x engine (comrak-based), resulting in @<span>@ and @<em>@ HTML tags leaking into the generated @href@ attribute. This is a regression caused by the commonmarker gem major version upgrade from 0.23.x (cmark-gfm based) to 2.x (comrak-based). The wiki content in the database has not changed, @parse_wiki_links@ in @application_helper.rb@ has not changed, and the text formatting setting (CommonMark) has not changed — only the underlying Markdown parsing engine changed. h2. Editor corruption When editing the affected wiki page in Redmine 6.1, the editor textarea shows backslash-escaped underscores that were *not* present in the original content: Redmine *Redmine 6.1 editor shows: shows:* <pre> * [[SMTP\_-\_emaily\|SMTP - emaily]] </pre> Redmine 5.x editor shows (correct, matches database content): <pre> * [[SMTP_-_emaily|SMTP - emaily]] </pre> The backslash escaping is being inserted by the rendering pipeline — it is not present in the database. This means that if a user edits and saves a page on 6.1, the escaped version (@_@) gets written back to the database, permanently corrupting the content. h2. Expected result (Redmine 5.x with commonmarker 0.23.x) <pre> /projects/myproject/wiki/SMTP_-_emaily </pre> h2. Actual result (Redmine 6.1 with commonmarker 2.x) <pre> /projects/myproject/wiki/SMTP%3Cspan%3E%3Cem%3E%3Cspan%3E-%3Cspan%3E%3Cspan%3E%3Cspan%3E%3Cem%3E%3Cspan%3Eemaily%3Cspan%3E?parent=Wiki </pre> URL-decoded, this reveals emphasis/span tags injected where the underscores were: <pre> SMTP<span><em><span>-<span><span><span><em><span>emaily<span> </pre> h2. Root cause analysis The @commonmarker@ gem was upgraded from 0.23.x (C-based cmark-gfm wrapper) to 2.x (Rust-based comrak wrapper) in Redmine 6.0. The new comrak engine handles intra-word emphasis differently. Where the old cmark-gfm engine left underscores inside @[[...]]@ wiki link markup alone, the new comrak engine interprets them as emphasis delimiters and wraps the content in @<em>@/@<span>@ tags. The @parse_wiki_links@ method in @app/helpers/application_helper.rb@ has not changed, and it extracts page names from @$3@ in its regex match. However, the page name captured from the text already contains the HTML emphasis tags injected by the CommonMark engine, which then end up URL-encoded in the generated link. h2. Impact This issue is especially severe because: It affects all existing wiki links to pages with underscores in their titles — no content change is needed to trigger the regression Editing and saving corrupts the database — the backslash-escaped underscores get written back permanently