Incomplete documentation for render_unsafe_content

[philip@…]

The documentation for the render_unsafe_content INI flag says only that it governs "[w]hether attachments should be rendered in the browser, or only made downloadable." Grepping through the Trac source, I can see that render_unsafe_content=false triggers "sanitized" HTML.

Suggested solution: The documentation for render_unsafe_content needs to be updated to reflect all of its effects, including sanitizing HTML.

Here's a specific example —

I expected this Trac Wiki content to render as a clickable email address:

{{{
#!html
<a href="mailto:foo@example.com">foo@example.com</a>
}}}

However, it doesn't when render_unsafe_content is set to the default of false. When I change it to true, the mailto link becomes clickable.

I realize that I don't need raw HTML to create mailto links, but I have a valid use case for this. We like to obfuscate our email addresses with HTML entities like so:

{{{
#!html
<a href='mailt&#111;&#58;&#102;o&#111;&#64;&#101;&#120;am&#112;le&#46;&#99;&#111;m'>&#102;o&#111;&#64;&#101;&#120;am&#112;le&#46;&#99;&#111;m</a>
}}}

From a Web browser's point of view, this is the same as the raw HTML above and it presents end users with a readable, clickable link. But some experiments I did a few years ago indicated that email harvesters were not savvy enough (or couldn't be bothered) to decode entity references.

[Remy Blank]

Note that there are three render_unsafe_content options, one in [attachment], another in [browser] and the last one in [wiki]. The last one controls the behavior of {{{!#html}}} blocks, and is documented as such.

[anonymous]

You're correct; I obviously missed that. Thanks for the pointer. I'll close this ticket.