Opened 18 years ago
Closed 18 years ago
#4419 closed defect (fixed)
rendering html content modifies it
Reported by: | Owned by: | Matthew Good | |
---|---|---|---|
Priority: | normal | Milestone: | 0.10.4 |
Component: | general | Version: | 0.10.3 |
Severity: | normal | Keywords: | mimeview html |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
writing:
{{{ #!html <script>if i < 1 {alert(hi);}</script> }}}
is rendered as
<script>if i < 1 {alert(hi);}</script>
Attachments (0)
Change History (9)
comment:1 by , 18 years ago
comment:2 by , 18 years ago
yes. javascript text is not supposed to be escaped.
i think the best way to close this, and #4418 is to provide an unsafe_html processor. i did it in my installation:
from trac.wiki.macros import WikiMacroBase from trac.util.html import escape, Markup, Element, html class unsafe_html(WikiMacroBase): def render_macro(self, req, name, text): from HTMLParser import HTMLParseError try: return Markup(text) except HTMLParseError, e: self.env.log.warn(e) return system_message('HTML parsing error: %s' % escape(e.msg), text.splitlines()[e.lineno - 1].strip())
comment:3 by , 18 years ago
this is totally of topic here, but how can i register? i'm tired of forgetting to put in my email each time
comment:4 by , 18 years ago
To remember your email: go to "Settings" and it'll save it in a cookie.
Allowing the <
to go through without escaping is not allowed and will probably break the well-formedness of the document. We could wrap the script
contents in a CDATA block if necessary to allow such characters.
However, I am not able to reproduce this on trunk. I think that script
elements are being completely removed since the Genshi merge. This ticket needs a second opinion from the other developers on whether script
elements are supposed to be allowed under even 0.10.x.
comment:5 by , 18 years ago
Oops. You already performed the hack in #4418 to make them display. I'm still waking up.
comment:6 by , 18 years ago
Adding an option would probably be easier for users than a separate processor, both for enabling/disabling and using in the Wiki. This adds [wiki] render_unsafe_content
, though I'm not sure if using the same name as the option from the [attachment]
section is good or will cause confusion.
-
trac/wiki/api.py
121 121 """Enable/disable splitting the WikiPageNames with space characters 122 122 (''since 0.10'').""") 123 123 124 render_unsafe_content = BoolOption('wiki', 'render_unsafe_content', 'false') 125 124 126 def __init__(self): 125 127 self._index = None 126 128 self._last_index_update = 0 -
trac/wiki/formatter.py
83 83 return html.PRE(text, class_="wiki") 84 84 85 85 def _html_processor(self, req, text): 86 if WikiSystem(self.env).render_unsafe_content: 87 return Markup(text) 86 88 from HTMLParser import HTMLParseError 87 89 try: 88 90 return Markup(text).sanitize()
comment:7 by , 18 years ago
Keywords: | mimeview html added |
---|---|
Milestone: | → 0.10.4 |
As it's for exactly the same purpose (i.e. rendering user provided HTML "as is"), I'd say it's OK to reuse the name.
OTOH, keeping two options is probably overkill in the longer run; we could think about centralizing that to [mimeview] render_unsafe_content
, as I don't think there's much use to remove the protection for attachments and leave it for the wiki, or vice-versa.
Either way, as it's a ticket with small impact and already a patch, I think it's OK for 0.10.4.
comment:8 by , 18 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
Alright, I'll add a docstring for the option and check that in.
comment:9 by , 18 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Perhaps I'm misunderstanding the issue, but that slight change is what I would expect for being displayed in an xhtml page. '<' is not allowed as a bare character and must be escaped as '<'. Does this keep your script from working?