Edgewall Software
Modify

Opened 17 years ago

Closed 16 years ago

#4388 closed defect (worksforme)

[PATCH] Double quote in attachment summary = Image macro failure

Reported by: anonymous Owned by: Jonas Borgström
Priority: normal Milestone:
Component: general Version: 0.10.1
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

  1. Attach an image file [to a wiki page].
  2. Attempt to display that image via, i.e. [[Image(filename.png)]]

If the summary of that attachment contains a double-quote, the image tag will be completely suppressed. (An over-sanitation of attempting to put the summary into the alt/title?)

Suggested resolution: escape " to "

As discussed here: http://groups.google.com/group/trac-users/browse_thread/thread/a44874225153cf1d

Attachments (2)

image_macro_quotes_r4547.diff (596 bytes ) - added by maz <mzizka@…> 17 years ago.
Remove sanitizing in Image macro
image_macro_quotes_test_r4547.diff (860 bytes ) - added by maz <mzizka@…> 17 years ago.
Test case for embedded quotes in title

Download all attachments as: .zip

Change History (10)

comment:1 by maz <mzizka@…>, 17 years ago

Summary: Double quote in attachment summary = Image macro failure[PATCH] Double quote in attachment summary = Image macro failure

The Image macro calls sanitize() on the resulting markup, and the tag ends up being removed. Removing the call to sanitize, i.e. in macros.py: 

        #result = Markup(html.IMG(src=raw_url, **attr)).sanitize()
        result = html.IMG(src=raw_url, **attr)

Will results in: 

<img src="/xxx/attachment/wiki/TestPage/attachment.png?format=raw" alt="&#34;this&#34; is a &#34;test&#34;" title="&#34;this&#34; is a &#34;test&#34;" />

So the quotes are properly escaped, but the sanitizing removes the result. As far as I know, manual sanitizing of this sort has not been necessary for a good while now.

by maz <mzizka@…>, 17 years ago

Attachment: image_macro_quotes_r4547.diff added

Remove sanitizing in Image macro

by maz <mzizka@…>, 17 years ago

Attachment: image_macro_quotes_test_r4547.diff added

Test case for embedded quotes in title

comment:2 by maz <mzizka@…>, 17 years ago

Milestone: 0.10.4

comment:3 by sid, 17 years ago

#5381 was marked as a duplicate of this ticket.

comment:4 by sid, 17 years ago

Oops, that last comment should have been: #5318 was marked as a duplicate of this ticket

comment:5 by anonymous, 17 years ago

Hrm I've had to do manual sanitizing in other macros (to block <script> etc..); perhaps we should be clear about where it's getting sanitized in this case?

Is it in the way the title is fetched? To be satisfied of this I'd really like a comment or something so nobody looking at this in isolation says "hang on a second! where's the sanitization?"

If we're not clear where it's sanitized then I'd prefer to blank out questionable characters to make sure more things "pass" than remove the sanitize() call.

comment:6 by Emmanuel Blot, 16 years ago

#6565 was marked as a duplicate of this ticket.

See also #3814.

comment:7 by osimons, 16 years ago

This is no longer a problem with current 0.11b1+ from my testing.

Seeing this ticket actually has a patch (that I haven't looked at), I think either some dev should grab this ticket for fix in 0.10-stable, or I propose 'worksforme' with recommended solution to upgrade.

comment:8 by Christian Boos, 16 years ago

Milestone: 0.10.5
Resolution: worksforme
Status: newclosed

Upgrading should be preferred, yes.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment
E-mail address and name can be saved in the Preferences .
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.