View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0024999 | mantisbt | markdown | public | 2018-11-20 18:49 | 2018-12-05 02:03 |
Reporter | ecognito | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | duplicate | ||
Summary | 0024999: Remove call to $Parsedown->setSafeMode(true) in MantisMarkdown.php | ||||
Description | A call to This makes it no longer possible to include HTML tags as part of your markdown mark-up in text fields. (In my specific case, this breaks a lot of text fields that were exported from our previous bug tracking system.) It was added "to ensure we're protected against link-based XSS" but I don't believe it is needed, as MantisBT already protects you via the whitelisting of allowed HTML tags (see the html_valid_tags global). The README.md for Parsedown itself says:
MantisBT is already sanitizing the HTML, thus the call to | ||||
Tags | No tags attached. | ||||
Please read |
|
For the record, we are not actually sanitizing the HTML, we are simply restricting which tags can be used or not - which is not quite the same thing. XSS attacks would still be possible. I am aware that the introduction of Parsedown safe mode created several issues and regressions (see 0024240, 0024628), I started working on fixing these, but it is actually a very complex problem due to the interaction with our own text-processing routines and the need to maintain backwards compatibility with HTML tags. In addition to my own lack of time to spend on this, to best address this, we also require Parsedown functionality that has not yet been formally released. Until then, if this is a blocking problem for you, I invite you to switch off safe mode in your own instance - at your own risk of course. In any case, this issue is a duplicate of 0024241, so I'm going to close it. |
|
Hi @dregad and thanks for the explanation. Really appreciate it and agree with the assessment. |
|