Defect #14171

If the text formatting is "none", Meta characters in URLs are escaped twice.

Added by Nayuta Taga about 8 years ago. Updated over 5 years ago.

Status:NewStart date:
Priority:LowDue date:
Assignee:-% Done:

0%

Category:Text formatting
Target version:-
Resolution: Affected version:2.3.1

Description

If the text formatting is "none", Meta characters in URLs are escaped twice.

For example,

http://foo/bar.cgi&query=bazo

is formatted as:
<a href="http://foo/bar.cgi&amp;amp;query=baz">http://foo/bar.cgi&amp;amp;query=baz</a>

This problem is introduced by Redmine::WikiFormatting::NullFormatter#to_html (in lib/redmine/wiki_formatting.rb):

def to_html(*args)
  t = CGI::escapeHTML(@text)
  auto_link!(t)
  auto_mailto!(t)
  simple_format(t, {}, :sanitize => false)
end

Meta characters in URLs of the @text are escaped by both CGI::escapeHTML() and auto_link!() .

So,

&

becomes
&amp;amp;

----
$ RAILS_ENV=production rake about

About your application's environment
Ruby version              2.0.0 (amd64-freebsd8)
RubyGems version          1.8.25
Rack version              1.4
Rails version             3.2.13
Active Record version     3.2.13
Action Pack version       3.2.13
Active Resource version   3.2.13
Action Mailer version     3.2.13
Active Support version    3.2.13
Middleware                Rack::Cache, 
 ActionDispatch::Static, 
 Rack::Lock, 
 #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x00000804a48cb8>,
 Rack::Runtime,
 Rack::MethodOverride,
 ActionDispatch::RequestId,
 Rails::Rack::Logger,
 ActionDispatch::ShowExceptions,
 ActionDispatch::DebugExceptions,
 ActionDispatch::RemoteIp,
 ActionDispatch::Callbacks,
 ActiveRecord::ConnectionAdapters::ConnectionManagement,
 ActiveRecord::QueryCache, ActionDispatch::Cookies,
 ActionDispatch::Session::CookieStore,
 ActionDispatch::Flash,
 ActionDispatch::ParamsParser,
 ActionDispatch::Head, Rack::ConditionalGet, Rack::ETag,
 ActionDispatch::BestStandardsSupport,
 OpenIdAuthentication
Application root          (snip)/redmine-2.3.1
Environment               production
Database adapter          sqlite3
Database schema version   20130217094251

History

#1 Updated by Go MAEDA over 5 years ago

Still reproducible in Redmine 3.2.0.

Also available in: Atom PDF