Patch #41941
open
Add support for tel: protocol to custom fields
Added by Bernhard Rohloff 15 days ago.
Updated 12 days ago.
Description
These days softphones are very popular and used by many employees. It would be great if Redmine could create links with the tel protocol to let users make calls quickly and effortless.
It's a small change but can significantly increase the comfort for users.
Files
- Related to Feature #10889: Add support for the 'tel' URL protocol handler added
Your patch does (probably?) not solve the underlying issue and is at the wrong place.
uri_with_safe_scheme? is intended to validate the schemes of URLs of e.g. <img> tags or other resources which cause the browser to load them directly. The correct method to use for links would be uri_with_link_safe_scheme? instead.
With that being said, uri_with_safe_scheme? is the oldest of these related methods and its semantics have changed slightly over time. It might be that this method is sill erroneously used in places where uri_with_link_safe_scheme? should be used instead.
In any case, please also provide some tests for changed behavior. This is especially important here since these changes may cause new XSS vulnerabilities in Redmine if we are not careful.
Holger Just wrote in #note-2:
Your patch does (probably?) not solve the underlying issue and is at the wrong place.
uri_with_safe_scheme? is intended to validate the schemes of URLs of e.g. <img> tags or other resources which cause the browser to load them directly. The correct method to use for links would be uri_with_link_safe_scheme? instead.
With that being said, uri_with_safe_scheme? is the oldest of these related methods and its semantics have changed slightly over time. It might be that this method is sill erroneously used in places where uri_with_link_safe_scheme? should be used instead.
In any case, please also provide some tests for changed behavior. This is especially important here since these changes may cause new XSS vulnerabilities in Redmine if we are not careful.
The propsed change is only meant for providing the ability of creating links for phone numbers in custom fields. It's solving the issue as the method uri_with_link_safe_scheme? whitelists the allowed protocols for links and is used by source:trunk/lib/redmine/field_format.rb#L217. I've tested the solution and it's working in my dev environment. The patch just adds the :tel scheme to the list. Attached is a patch for extending the existing unit test of the proposed change.
Also available in: Atom
PDF
Updated by 
Updated by