View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0027099 | mantisbt | html | public | 2020-07-19 08:18 | 2024-04-08 08:44 |
Reporter | loris.nardo | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | have not tried |
Status | confirmed | Resolution | open | ||
Product Version | 2.24.1 | ||||
Target Version | 2.27.0 | ||||
Summary | 0027099: Inconsistent escape of html entities while editing an issue | ||||
Description | If the description of an issue contains raw html entities, they are transformed back into the equivalent characters during the edit of the issue. | ||||
Steps To Reproduce |
This assume a default configuration for MantisBT | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
related to: 0008540 |
|
The content for the textarea (for editing) is processed in the same way as text for the output (for displaying).
^ this code snippet is the perfect sample for this unwanted behaviour. I think that both have a different scope. The text to be edited in the textarea should not be treated in any way (except for
The same applies to text fields. See 0008540. But unlike Like Or one for all Of course, all this based on very less knowledge of all the MantisBT internals. The basic idea is something like: "No mixing of different purposes". |
|
@hotzeplotz I agree with your analysis in general. I have not looked at the specifics of actual string_api functions. More than related, it looks like 0008540 is the same issue, no ? |
|
Yes, it's a duplicate. |
|
We have already functions that looks right for the purpose of displaying something.
It somehow sounds logical that everything that is to be displayed runs through our plugin and processed with the - soon to be available - HTMLPurifier. |
|
I think a quick fix is possible, at least for the textareas. PHPstorm found 12 occurrences of eg
If this is wanted, i would open a PR Just change from
to
Would also add a Test for it in test/Mantis/StringTest.php |
|
looking at the code block above … could cry. I can hardly wait until the markdown PR is finally merged. :-) |
|
I looked at the history for string_html_specialchars() function.
Based on outcome of 2, the correct fix could be to get rid of string_html_specialchars() completely... |
|
Weird. No idea. Two things could happen. 1.) A silent improvment, nobody gets notice of I can't make a valid advice here. You also copied it, not that long ago … for a reason i guess. https://github.com/mantisbt/mantisbt/pull/1511/commits/73a493215f29ea319fa4899bc25cc2b9fe61bc60
A very quick "review" reveals interesting usages. A property … Is it user input?
https://github.com/mantisbt/mantisbt/blob/master/manage_config_revert.php#L78 Both are the same
https://github.com/mantisbt/mantisbt/blob/master/bug_view_inc.php#L1154 seriously? :-) strict types and a type hint "string_attribute(string $p_string)" would help.
https://github.com/mantisbt/mantisbt/blob/master/account_sponsor_page.php#L179 Any user input here? Here it is used to display the status, not used for an attribute value. Theoretically
Vice versa, some of them, where theoretically
I am sure much more wrong/mixed/weird usages are buried somewhere. Makeing this consist is not an easy task. I still think that everything that should be displayed should go through string_display and everything used in a form should go through … something other. |
|