Defect #22967
closedSpecial character like quote breaks wiki links
0%
Description
Affected version: 3.1.5, 3.2.2, at least
To reproduce:
- create a new wiki page
- insert a link with a quote inside. For ex. : This is a link'test
Explanation:
I'm trying to upgrade redmine from 2.4.2 to 3.1.5 (or 3.2.2) and I've an issue with the wiki links.
With the version 2.4.2, using quote "'" in the wiki links was working (using the redmine_redcarpet_formatter).
For example :
[[This is a link'test]]
With the version 3.1.5 or 3.2.2 the same code break the wiki link during html formatting. The output is something like
This is a link&
I suspect there is a problem during the text escaping because the function ``parse_wiki_links`` in app/helpers/application_helper consider that there is an anchor. The supposed anchor come from the html escaped form of the quote (which is ').
In French language, this is a major problem because the quote character is often used.
Regards,
Philippe Le Brouster.
Files
Related issues
Updated by Toshi MARUYAMA over 8 years ago
- Status changed from New to Needs feedback
Updated by Philippe Le Brouster over 8 years ago
- File wiki_edit.png wiki_edit.png added
- File wiki_content.png wiki_content.png added
Hi,
The problem exists only with the markdown text format. The textile format is ok.
Did you test with this markdown text format ?
I've just set a vanilla redmine 3.2.3 (tarball from the website). And I can reproduce this bug.
Regards,
Philippe Le Brouster
Updated by Toshi MARUYAMA over 8 years ago
- Subject changed from Special character like ' (quote) breaks wiki links to markdown: special character like ' (quote) breaks wiki links
- Status changed from Needs feedback to New
Updated by Adrien Crivelli over 8 years ago
I am also affected by this bug on Redmine 3.0.0.
I'd say it should be quite high on the priority list, because it will break things for a lot of french users, and possibly other languages too. But it will also break in English, as seen in those examples:
Markdown input:
[[Jack & Coke]] [[a "quoted" name]] [[le français, c'est super]] [[broken < less]] [[broken > more]] [[also <broken> link]]
Actual output:
Jack & Coke a "quoted" name le français, c& broken < less broken > more also link
Expected output:
Jack & Coke a "quoted" name le français, c'est super broken < less broken > more also broken link
Updated by Marius BĂLTEANU over 6 years ago
- File tests_for_special_characters_breaks_wiki_links.patch tests_for_special_characters_breaks_wiki_links.patch added
I made some tests based on the first 5 examples added by Adrien Crivelli in his post. The tests fail on both Textile and Markdown formatters.
Updated by Marius BĂLTEANU over 6 years ago
- File fix_for_22967.patch fix_for_22967.patch added
I made also a potential patch that fixes these issues. I'm saying just potential because I'm not sure if it is ok from a security point of view. From my tests it is ok, but I need a second opinion.
Regarding the case "[[also <broken> link]]
", is harder to make a fix because the tag is completely removed by the markdown formatter.
Updated by Marius BĂLTEANU over 6 years ago
- Status changed from New to Confirmed
Updated by Marius BĂLTEANU over 6 years ago
- Has duplicate Defect #10413: Creating wiki pages with special characters may be problematic added
Updated by Marius BĂLTEANU over 6 years ago
- Target version set to Candidate for next minor release
I'm considering this issue quite annoying and I would like to fix it in a next version. @Go Maeda, which version do you think is more appropriate?
Updated by Go MAEDA over 6 years ago
Marius BALTEANU wrote:
I'm considering this issue quite annoying and I would like to fix it in a next version. @Go Maeda, which version do you think is more appropriate?
I think 4.0.0 is preferable to minor releases because it requires some manual work to backport the tests to 3.4/3.3-stable.
Updated by Marius BĂLTEANU over 6 years ago
- Target version changed from Candidate for next minor release to 4.1.0
Updated by Go MAEDA over 6 years ago
- File fix_for_22967-v2.diff fix_for_22967-v2.diff added
Update the patch for r17346.
Updated by Go MAEDA over 6 years ago
- Assignee changed from Go MAEDA to Marius BĂLTEANU
The following patch also works. Marius, do you think it is OK? I prefer this code because it is simpler and CGI.unescapeHTML
is already used in application_helper.rb.
Index: app/helpers/application_helper.rb
===================================================================
--- app/helpers/application_helper.rb (revision 17346)
+++ app/helpers/application_helper.rb (working copy)
@@ -740,6 +740,7 @@
link_project = project
esc, all, page, title = $1, $2, $3, $5
if esc.nil?
+ page = CGI.unescapeHTML(page)
if page =~ /^\#(.+)$/
anchor = sanitize_anchor_name($1)
url = "##{anchor}"
Updated by Marius BĂLTEANU over 6 years ago
- Assignee deleted (
Marius BĂLTEANU)
LGTM. I'm not sure why I chose then the htmlentities gem instead of CGI, I think that I've read somewhere that it is better, but I can't find anymore.
Anyway, the single concern I have is regarding how safe are our both solution against XSS, but from my tests, everything looks good. Maybe we should let Jean-Philippe Lang to fix this one.
Updated by Go MAEDA over 6 years ago
- Target version changed from 4.1.0 to 4.0.0
Updated by Jean-Philippe Lang over 6 years ago
- Subject changed from markdown: special character like ' (quote) breaks wiki links to Special character like quote breaks wiki links
- Status changed from Confirmed to Closed
- Resolution set to Fixed
Patch committed, thanks.
Updated by Marius BĂLTEANU over 6 years ago
- Has duplicate Defect #11985: Version Wiki page '#' gets escaped added