Edgewall Software

Ticket #885 (closed defect: fixed)

Opened 4 years ago

Last modified 4 years ago

escape title attribute on changeset links

Reported by: Matthew Good <matt-good.net> Owned by: jonas
Priority: normal Milestone: 0.8
Component: general Version: devel
Severity: normal Keywords:
Cc:

Description

On Trac Wiki links to changeset, the message is placed in the title attribute of the link, but special HTML characters are not escaped. I noticed this in the RSS from the timeline, though this occurs in the HTML as well. 

<item>
        
        <pubDate>Thu, 04 Nov 2004 21:11:00 GMT</pubDate>
        <title>Ticket #878 resolved: Fixed in [1017].</title>

        <link>http://projects.edgewall.com/trac/ticket/878</link>
        <description><p>
Fixed in [<a title=" * Only enable the resolution <select> if "closed" is the only/first ..." href="http://projects.edgewall.com/trac/changeset/1017">1017</a>].

</p>
</description>
        <category>Ticket</category>
      </item>

Attachments

Change History

Changed 4 years ago by Matthew Good <matt-good.net>

Ok, let's try something different as Trac decided to screw that up and not escape the & on the HTML entities.

Here's some HTML from the timeline: 

[<a title=" * Only enable the resolution <select> if "closed is the only/first ...
href="http://projects.edgewall.com/trac/changeset/1017">1017</a>]

Note that the < > and " characters in the title text aren't escaped.

Changed 4 years ago by anonymous

  • status changed from new to closed
  • resolution set to fixed

Fixed in [1020]

Add/Change #885 (escape title attribute on changeset links)

Author



Change Properties
<Author field>
Action
as closed
Next status will be 'reopened'
to The owner will change from jonas. Next status will be 'closed'
 
Note: See TracTickets for help on using tickets.