Defect #807

HTML not escaped in ticket descriptions

Added by David Förster about 14 years ago. Updated about 14 years ago.

Status:ClosedStart date:2008-03-07
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:UI
Target version:-
Resolution:Fixed Affected version:

Description

HTML Tags are not escaped in ticket comments.

Related issues

Related to Redmine - Feature #20497: Markdown formatting supporting HTML Closed
Related to Redmine - Feature #23717: Allow HTML View in description diff Closed

Associated revisions

Revision 1216
Added by Jean-Philippe Lang about 14 years ago

Textile formatting:
  • escape html tags, except pre tags (#807, #795)
  • try to avoid unwanted quick phrase modifiers

History

#1 Updated by Rocco Stanzione about 14 years ago

I think this is a have-your-cake-and-eat-it-too scenario. Issue descriptions are textilized so they can be formatted, and part of that is accepting HTML as-is. You should probably put any HTML in the descriptions (that you don't want interpreted by browsers) into a 

 tag.

    

  

  
  

    

    
#2
    
    Updated by Jean-Philippe Lang about 14 years ago


    
Actually, HTML is escaped here on redmine.org (eg. <h1>Redmine</h1>) except pre tags used for preformatted text.
I'll commit this change.

    

  

  
  

    

    
#3
    
    Updated by Jean-Philippe Lang about 14 years ago


    
    
       
  • Status changed from New to Closed
    • 
       
  • Resolution set to Fixed
    • 
    

    
Fixed in r1216 (only pre tags are not escaped).

    

  

  
  

    

    
#4
    
    Updated by Go MAEDA almost 7 years ago


    
    
       
  • Related to Feature #20497: Markdown formatting supporting HTML added
    • 
    

    
    

  

  
  

    

    
#5
    
    Updated by Go MAEDA over 2 years ago


    
    
       
  • Related to Feature #23717: Allow HTML View in description diff added
    • 
    

    
    

  

  























Also available in:  Atom
  PDF