Opened 13 years ago
Closed 13 years ago
#10708 closed defect (invalid)
Incomplete documentation for render_unsafe_content
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | rendering | Version: | |
Severity: | minor | Keywords: | render_unsafe_content documentation |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
The documentation for the render_unsafe_content INI flag says only that it governs "[w]hether attachments should be rendered in the browser, or only made downloadable." Grepping through the Trac source, I can see that render_unsafe_content=false triggers "sanitized" HTML.
Suggested solution: The documentation for render_unsafe_content needs to be updated to reflect all of its effects, including sanitizing HTML.
Here's a specific example —
I expected this Trac Wiki content to render as a clickable email address:
{{{ #!html <a href="mailto:foo@example.com">foo@example.com</a> }}}
However, it doesn't when render_unsafe_content is set to the default of false. When I change it to true, the mailto link becomes clickable.
I realize that I don't need raw HTML to create mailto links, but I have a valid use case for this. We like to obfuscate our email addresses with HTML entities like so:
{{{ #!html <a href='mailto:foo@example.com'>foo@example.com</a> }}}
From a Web browser's point of view, this is the same as the raw HTML above and it presents end users with a readable, clickable link. But some experiments I did a few years ago indicated that email harvesters were not savvy enough (or couldn't be bothered) to decode entity references.
Attachments (0)
Change History (3)
comment:1 by , 13 years ago
comment:2 by , 13 years ago
You're correct; I obviously missed that. Thanks for the pointer. I'll close this ticket.
comment:3 by , 13 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
Note that there are three
render_unsafe_content
options, one in[attachment]
, another in[browser]
and the last one in[wiki]
. The last one controls the behavior of{{{!#html}}}
blocks, and is documented as such.