Ticket #2428 (closed defect: duplicate)
Opened 6 years ago
Last modified 5 years ago
html wikiprocessor doesn't ensure all tags are closed
| Reported by: | dkg-debian.org@… | Owned by: | jonas |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | general | Version: | 0.9 |
| Severity: | normal | Keywords: | security |
| Cc: | dkg-debian.org@… | ||
| Release Notes: | |||
| API Changes: | |||
Description
The html WikiProcessor should ensure that all tags opened by the inline html are appropriately closed.
For example, including the following code would effectively swallow up the rest of the page into this trouble-ticket field:
{{{
#!html
<table><tr><td>
}}}
i'll actually post this code directly in a followup to this ticket so that you can see what the page looks like.
Attachments
Change History
comment:1 Changed 6 years ago by dkg-debian.org@…
comment:2 Changed 6 years ago by dkg-debian.org@…
here's another example of an unclosed tag:
comment:3 Changed 6 years ago by cboos
The idea is that if you need to go down to the HTML level,
you should also be able to do it "cleanly"...
I'm not sure it makes sense to implement some kind
of HTML parser here, as you can Preview the
effect of your macro and correct it, if needed.
Sure, #454 would help here too, when you forgot to preview...
comment:4 follow-up: ↓ 5 Changed 6 years ago by mgood
I actually consider this a feature of the HTML blocks, since it would allow things like:
[[html(<div style="border: 1px solid red">)]] WikiText with a red border [[html(</div>)]]
WikiText? with a red border
comment:5 in reply to: ↑ 4 ; follow-up: ↓ 6 Changed 5 years ago by dkg-debian.org@…
- Cc dkg-debian.org@… added
Replying to mgood:
I actually consider this a feature of the HTML blocks, since it would allow things ...
Ah! i can see how that would be useful. But it doesn't really make sense for that to be possible across ticket comments. That is, after rendering each ticket comment, the ticket renderer should close any outstanding open tags. Otherwise, i could do things like hide all remaining comments in the thread with a <div style="display:none;"> wrapped in the html preprocessor, right?
comment:6 in reply to: ↑ 5 ; follow-up: ↓ 7 Changed 5 years ago by cboos
Replying to dkg-debian.org@fifthhorseman.net:
Replying to mgood:
I actually consider this a feature of the HTML blocks, since it would allow things ...
Ah! i can see how that would be useful. But it doesn't really make sense for that to be possible across ticket comments. That is, after rendering each ticket comment, the ticket renderer should close any outstanding open tags.
Agreed.
Otherwise, i could do things like hide all remaining comments in the thread with a <div style="display:none;"> wrapped in the html preprocessor, right?
No, this kind of things is reserved for spammers, and you're not one of them ;)
comment:7 in reply to: ↑ 6 Changed 5 years ago by cboos
- Resolution set to duplicate
- Status changed from new to closed
Replying to cboos:
Replying to dkg-debian.org@fifthhorseman.net:
Replying to mgood:
I actually consider this a feature of the HTML blocks, since it would allow things ...
Ah! i can see how that would be useful. But it doesn't really make sense for that to be possible across ticket comments. That is, after rendering each ticket comment, the ticket renderer should close any outstanding open tags.
Agreed.
Following-up on that point in #2048.
Here's me posting the code directly: note how the remainder of the page gets swallowed up by this followup:
Now we're in a table!