bogus characters in ticket summary break RSS output

[chris.beauregard@…]

Somehow (through cut and paste, presumably), a carriage return is making it into a ticket summary. This results in the RSS feed breaking. The resulting item title in the RSS ends up something like:

<title>Ticket <em title="testing ^M
testing">#3696 (defect) created by user</title>

Where the ^M is a single control character. Not sure if this should be considered an input or output filtering problem.

Unfortunately, I don't have a newer version of Trac to test this against… I could create a demo ticket here, if you don't mind the RSS feeds maybe getting broken.

[osimons]

Testing this on 0.11 I can't see that this is a problem anymore. The report is from 0.9b2 which is some 2.5 years ago. It 'worksforme'.

Please reopen this ticket if it can be reproduced on 0.11. Such a trivial issue would not be fixed for 0.10.x (if it exists there).

[anonymous]

I changed the summary of this ticket, and the resulting RSS entry no longer includes the title="" section:

<title>Ticket #3535 (defect updated): bogus^M
characters^M
in ticket^M
summary break^M
RSS output</title>

I still consider it a bug that newlines/CRs entered into a textfield are being kept intact, and I think this will bite again down the road if someone tries to do something "nice" again with the RSS. But the immediate problem of a broken RSS feed is fixed and the timeline HTML still validates even with the newlines in the title section:

<dt class="editedticket"><a href="/ticket/3535#comment:4"><span class="time">13:46</span> Ticket <em title="bogus
characters
in ticket
summary break
RSS output">#3535</em> (defect) updated by anonymous</a></dt><dd class="editedticket"><i>summary</i> changed<br /></dd>

So the underlying "bug" of insufficient input validation is still there in 0.11, but it doesn't appear to be causing the same problems as far as I can see. Of course, now you have a live example in your database, so I guess we'll see if anyone has a stricter RSS client.