Edgewall Software

Opened 10 years ago

Closed 10 years ago

#10708 closed defect (invalid)

Incomplete documentation for render_unsafe_content

Reported by: philip@… Owned by:
Priority: normal Milestone:
Component: rendering Version:
Severity: minor Keywords: render_unsafe_content documentation
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:


The documentation for the render_unsafe_content INI flag says only that it governs "[w]hether attachments should be rendered in the browser, or only made downloadable." Grepping through the Trac source, I can see that render_unsafe_content=false triggers "sanitized" HTML.

Suggested solution: The documentation for render_unsafe_content needs to be updated to reflect all of its effects, including sanitizing HTML.

Here's a specific example —

I expected this Trac Wiki content to render as a clickable email address:

<a href="mailto:foo@example.com">foo@example.com</a>

However, it doesn't when render_unsafe_content is set to the default of false. When I change it to true, the mailto link becomes clickable.

I realize that I don't need raw HTML to create mailto links, but I have a valid use case for this. We like to obfuscate our email addresses with HTML entities like so:

<a href='mailt&#111;&#58;&#102;o&#111;&#64;&#101;&#120;am&#112;le&#46;&#99;&#111;m'>&#102;o&#111;&#64;&#101;&#120;am&#112;le&#46;&#99;&#111;m</a>

From a Web browser's point of view, this is the same as the raw HTML above and it presents end users with a readable, clickable link. But some experiments I did a few years ago indicated that email harvesters were not savvy enough (or couldn't be bothered) to decode entity references.

Attachments (0)

Change History (3)

comment:1 by Remy Blank, 10 years ago

Note that there are three render_unsafe_content options, one in [attachment], another in [browser] and the last one in [wiki]. The last one controls the behavior of {{{!#html}}} blocks, and is documented as such.

comment:2 by anonymous, 10 years ago

You're correct; I obviously missed that. Thanks for the pointer. I'll close this ticket.

comment:3 by anonymous, 10 years ago

Resolution: invalid
Status: newclosed

Modify Ticket

Change Properties
Set your email in Preferences
as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from (none) to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.