Project

General

Profile

Actions

Defect #22967

closed

Special character like quote breaks wiki links

Added by Philippe Le Brouster almost 8 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Category:
Wiki
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Affected version: 3.1.5, 3.2.2, at least
To reproduce:

Explanation:

I'm trying to upgrade redmine from 2.4.2 to 3.1.5 (or 3.2.2) and I've an issue with the wiki links.

With the version 2.4.2, using quote "'" in the wiki links was working (using the redmine_redcarpet_formatter).

For example :

[[This is a link'test]]

With the version 3.1.5 or 3.2.2 the same code break the wiki link during html formatting. The output is something like

This is a link&

I suspect there is a problem during the text escaping because the function ``parse_wiki_links`` in app/helpers/application_helper consider that there is an anchor. The supposed anchor come from the html escaped form of the quote (which is &#39).

In French language, this is a major problem because the quote character is often used.

Regards,
Philippe Le Brouster.


Files

link.png (11 KB) link.png Toshi MARUYAMA, 2016-06-22 16:51
wiki_edit.png (5.87 KB) wiki_edit.png Content when editing Philippe Le Brouster, 2016-06-23 14:55
wiki_content.png (8.63 KB) wiki_content.png Content when viewing Philippe Le Brouster, 2016-06-23 14:55
tests_for_special_characters_breaks_wiki_links.patch (2.31 KB) tests_for_special_characters_breaks_wiki_links.patch Marius BĂLTEANU, 2018-03-31 14:58
fix_for_22967.patch (965 Bytes) fix_for_22967.patch Marius BĂLTEANU, 2018-03-31 15:17
fix_for_22967-v2.diff (868 Bytes) fix_for_22967-v2.diff patch for r17346 Go MAEDA, 2018-05-22 12:53

Related issues

Has duplicate Redmine - Defect #10413: Creating wiki pages with special characters may be problematicClosed

Actions
Has duplicate Redmine - Defect #11985: Version Wiki page '#' gets escapedClosed

Actions
Actions #1

Updated by Toshi MARUYAMA almost 8 years ago

I cannot reproduce on vanilla Redmine 3.2.3 ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux].

Actions #2

Updated by Toshi MARUYAMA almost 8 years ago

  • Status changed from New to Needs feedback
Actions #3

Updated by Philippe Le Brouster almost 8 years ago

Hi,

The problem exists only with the markdown text format. The textile format is ok.

Did you test with this markdown text format ?

I've just set a vanilla redmine 3.2.3 (tarball from the website). And I can reproduce this bug.

Content when editing

Content when viewing

Regards,
Philippe Le Brouster

Actions #4

Updated by Toshi MARUYAMA over 7 years ago

  • Subject changed from Special character like ' (quote) breaks wiki links to markdown: special character like ' (quote) breaks wiki links
  • Status changed from Needs feedback to New
Actions #5

Updated by Adrien Crivelli over 7 years ago

I am also affected by this bug on Redmine 3.0.0.

I'd say it should be quite high on the priority list, because it will break things for a lot of french users, and possibly other languages too. But it will also break in English, as seen in those examples:

Markdown input:

[[Jack & Coke]]
[[a "quoted" name]]
[[le français, c'est super]]
[[broken < less]]
[[broken > more]]
[[also <broken> link]]

Actual output:

Jack &amp; Coke
a &quot;quoted&quot; name
le français, c&
broken &lt; less
broken &gt; more
also link

Expected output:

Jack & Coke
a "quoted" name
le français, c'est super
broken < less
broken > more
also broken link

Actions #6

Updated by Marius BĂLTEANU almost 6 years ago

I made some tests based on the first 5 examples added by Adrien Crivelli in his post. The tests fail on both Textile and Markdown formatters.

Actions #7

Updated by Marius BĂLTEANU almost 6 years ago

I made also a potential patch that fixes these issues. I'm saying just potential because I'm not sure if it is ok from a security point of view. From my tests it is ok, but I need a second opinion.

Regarding the case "[[also <broken> link]]", is harder to make a fix because the tag is completely removed by the markdown formatter.

Actions #8

Updated by Marius BĂLTEANU almost 6 years ago

  • Status changed from New to Confirmed
Actions #9

Updated by Marius BĂLTEANU almost 6 years ago

  • Has duplicate Defect #10413: Creating wiki pages with special characters may be problematic added
Actions #10

Updated by Marius BĂLTEANU almost 6 years ago

  • Target version set to Candidate for next minor release

I'm considering this issue quite annoying and I would like to fix it in a next version. @Go Maeda, which version do you think is more appropriate?

Actions #11

Updated by Go MAEDA almost 6 years ago

Marius BALTEANU wrote:

I'm considering this issue quite annoying and I would like to fix it in a next version. @Go Maeda, which version do you think is more appropriate?

I think 4.0.0 is preferable to minor releases because it requires some manual work to backport the tests to 3.4/3.3-stable.

Actions #12

Updated by Marius BĂLTEANU almost 6 years ago

  • Target version changed from Candidate for next minor release to 4.1.0
Actions #13

Updated by Go MAEDA almost 6 years ago

  • Assignee set to Go MAEDA
Actions #14

Updated by Go MAEDA almost 6 years ago

Update the patch for r17346.

Actions #15

Updated by Go MAEDA almost 6 years ago

  • Assignee changed from Go MAEDA to Marius BĂLTEANU

The following patch also works. Marius, do you think it is OK? I prefer this code because it is simpler and CGI.unescapeHTML is already used in application_helper.rb.

Index: app/helpers/application_helper.rb
===================================================================
--- app/helpers/application_helper.rb    (revision 17346)
+++ app/helpers/application_helper.rb    (working copy)
@@ -740,6 +740,7 @@
       link_project = project
       esc, all, page, title = $1, $2, $3, $5
       if esc.nil?
+        page = CGI.unescapeHTML(page)
         if page =~ /^\#(.+)$/
           anchor = sanitize_anchor_name($1)
           url = "##{anchor}" 
Actions #16

Updated by Marius BĂLTEANU almost 6 years ago

  • Assignee deleted (Marius BĂLTEANU)

LGTM. I'm not sure why I chose then the htmlentities gem instead of CGI, I think that I've read somewhere that it is better, but I can't find anymore.

Anyway, the single concern I have is regarding how safe are our both solution against XSS, but from my tests, everything looks good. Maybe we should let Jean-Philippe Lang to fix this one.

Actions #17

Updated by Go MAEDA almost 6 years ago

  • Assignee set to Jean-Philippe Lang
Actions #18

Updated by Go MAEDA almost 6 years ago

  • Target version changed from 4.1.0 to 4.0.0
Actions #19

Updated by Jean-Philippe Lang over 5 years ago

  • Subject changed from markdown: special character like ' (quote) breaks wiki links to Special character like quote breaks wiki links
  • Status changed from Confirmed to Closed
  • Resolution set to Fixed

Patch committed, thanks.

Actions #20

Updated by Marius BĂLTEANU over 5 years ago

  • Has duplicate Defect #11985: Version Wiki page '#' gets escaped added
Actions

Also available in: Atom PDF