0014811: Summary page doesn't generate properly because of special characters - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0014811	mantisbt	html	public	2012-10-10 08:28	2014-12-08 02:07

Reporter	phyllisl	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.3.0dev
Target Version	1.3.0-beta.1

Summary	0014811: Summary page doesn't generate properly because of special characters
Description	Just found out that if you have special characters in the name of an custom field, or in the name of a project, the summary report would not generate properly because of the special characters. Apparently, there needs string_html_specialchars() at two other spots in summary_api.php at around line 57 and 394
Additional Information	Originally reported in 0014744:0033110 by phyllisl
Tags	No tags attached.

dregad 2012-10-10 08:30 developer ~0033122	Can you please clarify what you mean by "the page does not generate properly" ? Do you get errors, garbled output ? Maybe a screenshot would help. Also, in the interest of reproducing the problem, it would be nice to know exactly which special character(s) are causing an issue, and how they were actually entered in the system.

phyllisl 2012-10-10 16:09 reporter ~0033147	If you have special characters such as & <> in the custom field name, the summary page report (by clicking the IE icon) is not properly displayed.

dregad 2012-10-11 07:26 developer ~0033156 Last edited: 2012-10-11 07:59	With regards to adding special chars in custom field names, I need to check because in 1.2 the system does not let you save the CF with e.g. a '>' in the name, but in 1.3 it is possible; looks like some validation code was removed and I don't know why. EDIT: this was removed by daryn in commit 49bb5dfa as a follow-up of dhx commit 01d2ffad; the argument was that 'XSS issues should be handled on the output side of MantisBT rather than on the input side.' In any case, considering the way custom fields are handled now, it should be no problem to have special characters in their name anymore. /EDIT That said, I tried to replicate the problem with current git head (6ad3873) but got no issue in summary page with a CF named 'test > &'. It is still unclear to me what you mean by 'not properly displayed'.

dregad 2012-10-11 08:07 developer ~0033157	I was able to trigger an XML error by adding to a project name and/or a category name, the same special char that caused problems in 0014744 as well as '&' (but not '<' or '>'). I would still appreciate if you could clarify/confirm the thing about custom fields, that makes no sense to me in the context of the summary page.

atrol 2012-10-11 08:22 developer ~0033158	Maybe this reproducible issue is meant, but there is no context to the summary page Create a custom field with name "This & That", assign it to a project Goto "View Issues" page Goto "Print Reports" page Click the IE icon

dregad 2012-10-11 08:24 developer ~0033159 Last edited: 2012-10-11 08:42	Thanks Roland, I'll check that EDIT: Confirmed. Fix will be committed shortly (see 0014721)

grangeway 2013-04-05 17:57 reporter ~0036226	Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch