0000692: Any bug report which includes HTML is rendered *AS* html, not as text - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0000692	mantisbt	bugtracker	public	2001-07-13 16:11	2006-04-20 06:30

Reporter	hacker	Assigned To	prescience
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Platform	Intel	OS	Linux	OS Version	Debian GNU/Linux
Product Version	0.15.1

Summary	0000692: Any bug report which includes HTML is rendered AS html, not as text
Description	I have a project which requires us to see the actual HTML tags themselves (Plucker) and when a user includes this in their bug report, Mantis renders it as "real" html, so that an (munged to display here) [a href=...] tag will show up as clickable, not as "real" text. Prescience and I were working on this last night. I have a small patch to fix this.
Steps To Reproduce	Just submit a bug report with an href constructed in the description field, it will become immediately apparent.
Additional Information	Patch here: --- /src/cvs/mantisbt/core_print_API.php Thu Jul 12 21:43:12 2001 +++ core_print_API.php Thu Jul 12 23:06:54 2001 @@ -705,8 +705,17 @@ Use this to prepare a string for display to HTML `function string_display( $p_string ) { $p_string = stripslashes( $p_string );` + Added here for displaying raw <a href..> tags in the bug report $p_string = htmlspecialchars(stripslashes( $p_string )); $p_string = str_replace( " ", " ", $p_string ); $p_string = str_replace( " ", " ", $p_string ); `$p_string = process_bug_link( $p_string ); $p_string = nl2br( $p_string );` `return $p_string; } ### --------------------`
Tags	No tags attached.

jlatour 2002-05-20 01:10 reporter ~0002605	Is this still an issue?

grangeway 2004-07-23 17:05 reporter ~0006264	test a raw tag in a bugnote <a href="http://mantisbt.org">test</a>

ryandesign 2006-03-02 07:13 reporter ~0012265	I don't think this could be an issue anymore. Current versions of Mantis do run htmlspecialchars() over the string before outputting, and only allow the HTML tags configured in $g_html_valid_tags to be displayed verbatim. If you want no HTML tags to be passed through, define this configuration variable to be the empty string.