Ticket #743 (closed defect: fixed)
Opened 8 years ago
Last modified 6 years ago
New ticket screen does not escape entities in summary on preview
| Reported by: | anonymous | Owned by: | cmlenz |
|---|---|---|---|
| Priority: | low | Milestone: | 0.8 |
| Component: | ticket system | Version: | 0.7.1 |
| Severity: | minor | Keywords: | patch |
| Cc: | |||
| Release Notes: | |||
| API Changes: | |||
Description
Steps to reproduce: Go to the "create new ticket" screen, enter the following in the Short Summary box:
This summary "contains quotes"
Then hit the preview button. The preview will come up with only "This summary" in the short summary field - everything including and after the first quote dissapears, because it is not being escaped as html entities before display.
Attachments
Change History
comment:1 Changed 8 years ago by cmlenz
- Resolution set to worksforme
- Status changed from new to closed
comment:2 Changed 8 years ago by cmlenz
- Resolution worksforme deleted
- Status changed from closed to reopened
Or not. Using ModPython the behavior is buggy as reported.
comment:3 Changed 8 years ago by cmlenz
- Owner changed from jonas to cmlenz
- Status changed from reopened to new
comment:4 Changed 8 years ago by cmlenz
- Status changed from new to assigned
comment:6 Changed 8 years ago by cmlenz
- Keywords patch added
The culprit here is the function util.escape(). It checks whether its argument is really of type StringType and only then performs the escaping. When running under ModPython however, parameter values retrieved from the FieldStorage are of type mod_python.util.StringField, and thus don't get escaped at all!
The following patch fixes the issue by converting any argument to a string first. I'd like to get some feedback on whether this change might introduce any regressions before checking it in. Jonas?
Index: trac/util.py
===================================================================
--- trac/util.py (revision 1020)
+++ trac/util.py (working copy)
@@ -65,12 +65,10 @@
"""Escapes &, <, > and \""""
if not text:
return ''
- if type(text) is StringType:
- text = text.replace('&', '&') \
- .replace('<', '<') \
- .replace('>', '>') \
- .replace('"', '"')
- return text
+ return str(text).replace('&', '&') \
+ .replace('<', '<') \
+ .replace('>', '>') \
+ .replace('"', '"')
def get_first_line(text, maxlen):
"""
I'll also add the patch as attachment.
Changed 8 years ago by cmlenz
- Attachment modpython_escape.patch added
Patch as described in previous comment
comment:7 Changed 8 years ago by jonas
Good question, I can't remember exactly why it is this way. Your patch is definitely the way to go, and I think we have a good chance of detecting any regressions before the release if the patch is applied now.
comment:8 Changed 8 years ago by cmlenz
- Resolution set to fixed
- Status changed from assigned to closed
Fixed in [1027].
Works for me in 0.8.