View Issue Details

IDProjectCategoryView StatusLast Update
0024999mantisbtmarkdownpublic2018-12-05 02:03
Reporterecognito Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionduplicate 
Summary0024999: Remove call to $Parsedown->setSafeMode(true) in MantisMarkdown.php
Description

A call to $Parsedown->setSafeMode(true) was added to plugins/MantisCoreFormatting/core/MantisMarkdown.php around April this year as part of issue 0024186.

This makes it no longer possible to include HTML tags as part of your markdown mark-up in text fields. (In my specific case, this breaks a lot of text fields that were exported from our previous bug tracking system.)

It was added "to ensure we're protected against link-based XSS" but I don't believe it is needed, as MantisBT already protects you via the whitelisting of allowed HTML tags (see the html_valid_tags global).

The README.md for Parsedown itself says:

If instead, you wish to allow HTML within untrusted user-input, but still want output to be free from XSS it is recommended that you make use of a HTML sanitizer that allows HTML tags to be whitelisted, like HTML Purifier.

MantisBT is already sanitizing the HTML, thus the call to setSafeMode(true) does not offer additional protection, but removes a feature.

TagsNo tags attached.

Relationships

duplicate of 0024241 assigneddregad $g_html_valid_tags are not rendered if Markdown is enabled 

Activities

atrol

atrol

2018-11-21 06:16

developer   ~0060991

Please read Additional Information in 0024186
Do you still think that setSafeMode is not needed?

dregad

dregad

2018-11-22 06:41

developer   ~0060993

@ecognito

For the record, we are not actually sanitizing the HTML, we are simply restricting which tags can be used or not - which is not quite the same thing. XSS attacks would still be possible.

I am aware that the introduction of Parsedown safe mode created several issues and regressions (see 0024240, 0024628), I started working on fixing these, but it is actually a very complex problem due to the interaction with our own text-processing routines and the need to maintain backwards compatibility with HTML tags. In addition to my own lack of time to spend on this, to best address this, we also require Parsedown functionality that has not yet been formally released.

Until then, if this is a blocking problem for you, I invite you to switch off safe mode in your own instance - at your own risk of course.

In any case, this issue is a duplicate of 0024241, so I'm going to close it.

ecognito

ecognito

2018-11-22 14:54

reporter   ~0060996

Hi @dregad and thanks for the explanation. Really appreciate it and agree with the assessment.