Edgewall Software
Modify

Opened 16 years ago

Closed 15 years ago

#2428 closed defect (duplicate)

html wikiprocessor doesn't ensure all tags are closed

Reported by: dkg-debian.org@… Owned by: Jonas Borgström
Priority: normal Milestone:
Component: general Version: 0.9
Severity: normal Keywords: security
Cc: dkg-debian.org@… Branch:
Release Notes:
API Changes:
Internal Changes:

Description

The html WikiProcessor should ensure that all tags opened by the inline html are appropriately closed.

For example, including the following code would effectively swallow up the rest of the page into this trouble-ticket field:

{{{
#!html
<table><tr><td>
}}}

i'll actually post this code directly in a followup to this ticket so that you can see what the page looks like.

Attachments (0)

Change History (7)

comment:1 by dkg-debian.org@…, 16 years ago

Here's me posting the code directly: note how the remainder of the page gets swallowed up by this followup:

Now we're in a table!

comment:2 by dkg-debian.org@…, 16 years ago

here's another example of an unclosed tag:

It's all bold and underlined and big and italic!

comment:3 by Christian Boos, 16 years ago

The idea is that if you need to go down to the HTML level, you should also be able to do it "cleanly"…

I'm not sure it makes sense to implement some kind of HTML parser here, as you can Preview the effect of your macro and correct it, if needed.

Sure, #454 would help here too, when you forgot to preview…

comment:4 by Matthew Good, 15 years ago

I actually consider this a feature of the HTML blocks, since it would allow things like:

[[html(<div style="border: 1px solid red">)]]
WikiText with a red border
[[html(</div>)]]

WikiText with a red border

in reply to:  4 ; comment:5 by dkg-debian.org@…, 15 years ago

Cc: dkg-debian.org@… added

Replying to mgood:

I actually consider this a feature of the HTML blocks, since it would allow things …

Ah! i can see how that would be useful. But it doesn't really make sense for that to be possible across ticket comments. That is, after rendering each ticket comment, the ticket renderer should close any outstanding open tags. Otherwise, i could do things like hide all remaining comments in the thread with a <div style="display:none;"> wrapped in the html preprocessor, right?

in reply to:  5 ; comment:6 by Christian Boos, 15 years ago

Replying to dkg-debian.org@fifthhorseman.net:

Replying to mgood:

I actually consider this a feature of the HTML blocks, since it would allow things …

Ah! i can see how that would be useful. But it doesn't really make sense for that to be possible across ticket comments. That is, after rendering each ticket comment, the ticket renderer should close any outstanding open tags.

Agreed.

Otherwise, i could do things like hide all remaining comments in the thread with a <div style="display:none;"> wrapped in the html preprocessor, right?

No, this kind of things is reserved for spammers, and you're not one of them ;)

in reply to:  6 comment:7 by Christian Boos, 15 years ago

Resolution: duplicate
Status: newclosed

Replying to cboos:

Replying to dkg-debian.org@fifthhorseman.net:

Replying to mgood:

I actually consider this a feature of the HTML blocks, since it would allow things …

Ah! i can see how that would be useful. But it doesn't really make sense for that to be possible across ticket comments. That is, after rendering each ticket comment, the ticket renderer should close any outstanding open tags.

Agreed.

Following-up on that point in #2048.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.