Vote #77488
完了Special character like quote breaks wiki links
0%
説明
Affected version: 3.1.5, 3.2.2, at least
To reproduce:
- create a new wiki page
- insert a link with a quote inside. For ex. : This is a link'test
Explanation:
I'm trying to upgrade redmine from 2.4.2 to 3.1.5 (or 3.2.2) and I've an issue with the wiki links.
With the version 2.4.2, using quote "'" in the wiki links was working (using the redmine_redcarpet_formatter).
For example :
[[This is a link'test]]
With the version 3.1.5 or 3.2.2 the same code break the wiki link during html formatting. The output is something like
This is a link&
I suspect there is a problem during the text escaping because the function parse_wiki_links in app/helpers/application_helper consider that there is an anchor. The supposed anchor come from the html escaped form of the quote (which is ').
In French language, this is a major problem because the quote character is often used.
Regards,
Philippe Le Brouster.
journals
I cannot reproduce on vanilla Redmine version:3.2.3 ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux].
!link.png!
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Hi,
The problem exists only with the markdown text format. The textile format is ok.
Did you test with this markdown text format ?
I've just set a vanilla redmine 3.2.3 (tarball from the website). And I can reproduce this bug.
!wiki_edit.png!
!wiki_content.png!
Regards,
Philippe Le Brouster
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
I am also affected by this bug on Redmine 3.0.0.
I'd say it should be quite high on the priority list, because it will break things for a lot of french users, and possibly other languages too. But it will also break in English, as seen in those examples:
Markdown input:
<pre>
[[Jack & Coke]]
[[a "quoted" name]]
[[le français, c'est super]]
[[broken < less]]
[[broken > more]]
[[also <broken> link]]
</pre>
Actual output:
<pre>
Jack & Coke
a "quoted" name
le français, c&
broken < less
broken > more
also link
</pre>
Expected output:
<pre>
Jack & Coke
a "quoted" name
le français, c'est super
broken < less
broken > more
also broken link
</pre>
--------------------------------------------------------------------------------
I made some tests based on the first 5 examples added by Adrien Crivelli in his post. The tests fail on both Textile and Markdown formatters.
--------------------------------------------------------------------------------
I made also a potential patch that fixes these issues. I'm saying just potential because I'm not sure if it is ok from a security point of view. From my tests it is ok, but I need a second opinion.
Regarding the case "@[[also <broken> link]]@", is harder to make a fix because the tag is completely removed by the markdown formatter.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
I'm considering this issue quite annoying and I would like to fix it in a next version. @Go Maeda, which version do you think is more appropriate?
--------------------------------------------------------------------------------
Marius BALTEANU wrote:
> I'm considering this issue quite annoying and I would like to fix it in a next version. @Go Maeda, which version do you think is more appropriate?
I think 4.0.0 is preferable to minor releases because it requires some manual work to backport the tests to 3.4/3.3-stable.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Update the patch for r17346.
--------------------------------------------------------------------------------
The following patch also works. Marius, do you think it is OK? I prefer this code because it is simpler and @CGI.unescapeHTML@ is already used in application_helper.rb.
<pre><code class="diff">
Index: app/helpers/application_helper.rb
===================================================================
--- app/helpers/application_helper.rb (revision 17346)
+++ app/helpers/application_helper.rb (working copy)
@@ -740,6 +740,7 @@
link_project = project
esc, all, page, title = $1, $2, $3, $5
if esc.nil?
+ page = CGI.unescapeHTML(page)
if page =~ /^\#(.+)$/
anchor = sanitize_anchor_name($1)
url = "##{anchor}"
</code></pre>
--------------------------------------------------------------------------------
LGTM. I'm not sure why I chose then the htmlentities gem instead of CGI, I think that I've read somewhere that it is better, but I can't find anymore.
Anyway, the single concern I have is regarding how safe are our both solution against XSS, but from my tests, everything looks good. Maybe we should let Jean-Philippe Lang to fix this one.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Patch committed, thanks.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
related_issues
duplicates,Closed,10413,Creating wiki pages with special characters may be problematic
duplicates,Closed,11985,Version Wiki page '#' gets escaped