View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0020924 | mantisbt | html | public | 2016-05-17 20:15 | 2016-06-01 16:08 |
Reporter | j_schultz | Assigned To | dregad | ||
Priority | normal | Severity | feature | Reproducibility | always |
Status | closed | Resolution | won't fix | ||
Product Version | 1.2.19 | ||||
Summary | 0020924: Do not replace link titles in comments fields | ||||
Description | When inserting an HTML link (like <a href="http://example.org">text</a>), the link title is automatically replaced by the link URL. If the user added a link title, they surely had a good reason to do so, so it should be retained and not replaced - at least optionally, if you think that there are good reasons for thje current behaviour. | ||||
Tags | No tags attached. | ||||
Clarification: The bug description should read (backslashes added to prevent Mantis from formatting the example HTML) |
|
What you enter in text fields is treated as text, and we just detect anything that looks like a URL and replace that with an anchor tag. We do not parse HTML, so we do not have any notion of URL "title". |
|
That cannot be quite correct, because the example.org link I posted in the bug description was a HTML link with link description, like this: <a href="http://example.org/">description</a>. You can edit this comment to see that it contains a HTML link with a description text that gets removed. |
|
Only selected HTML tags are authorized within MantisBT text fields (see $g_html_valid_tags). Anchor is not one of them (to prevent a XSS attack vector). When formatting text, we start by stripping all existing anchor tags (string_strip_href()), then encoding special chars, restoring authorized HTML tags, and finally adding links back (as plain URLs). This is handled by the MantisCoreFormatting plugin [1]; you can disable URL processing entirely, or replace the core functionality by your own customized version of the plugin to handle anchors the way you want. |
|
Shouldn't this behaviour not kick in when adding the anchor element to $g_html_valid_tags, though? How would I circumvent this behaviour without having to modify the Mantis core, as that will get overwritten with every update? |
|
As mentioned previously, anchor tags are disabled to avoid security issues. [1] https://github.com/mantisbt/mantisbt/blob/master/config_defaults_inc.php#L1797
This is exactly why I recommended you write a custom plugin to replace or supplement what MantisCoreFormatting does. |
|