rendering html content modifies it

[ittayd@…]

writing:

{{{
#!html
<script>if i < 1 {alert(hi);}</script>
}}}

is rendered as

<script>if i &lt; 1 {alert(hi);}</script>

[Tim Hatch]

Perhaps I'm misunderstanding the issue, but that slight change is what I would expect for being displayed in an xhtml page. '<' is not allowed as a bare character and must be escaped as '&lt'. Does this keep your script from working?

[anonymous]

yes. javascript text is not supposed to be escaped.

i think the best way to close this, and #4418 is to provide an unsafe_html processor. i did it in my installation:

from trac.wiki.macros import WikiMacroBase
from trac.util.html import escape, Markup, Element, html

class unsafe_html(WikiMacroBase):
        def render_macro(self, req, name, text):
                from HTMLParser import HTMLParseError
                try:
                    return Markup(text)
                except HTMLParseError, e:
                    self.env.log.warn(e)
                    return system_message('HTML parsing error: %s' % escape(e.msg),
                                  text.splitlines()[e.lineno - 1].strip())

[ittayd@…]

this is totally of topic here, but how can i register? i'm tired of forgetting to put in my email each time

[Tim Hatch]

To remember your email: go to "Settings" and it'll save it in a cookie.

Allowing the < to go through without escaping is not allowed and will probably break the well-formedness of the document. We could wrap the script contents in a CDATA block if necessary to allow such characters.

However, I am not able to reproduce this on trunk. I think that script elements are being completely removed since the Genshi merge. This ticket needs a second opinion from the other developers on whether script elements are supposed to be allowed under even 0.10.x.

[Tim Hatch]

Oops. You already performed the hack in #4418 to make them display. I'm still waking up.

[Matthew Good]

Adding an option would probably be easier for users than a separate processor, both for enabling/disabling and using in the Wiki. This adds [wiki] render_unsafe_content, though I'm not sure if using the same name as the option from the [attachment] section is good or will cause confusion.

trac/wiki/api.py

@@ -121 +121 @@
         """Enable/disable splitting the WikiPageNames with space characters
         (''since 0.10'').""")
 
+    render_unsafe_content = BoolOption('wiki', 'render_unsafe_content', 'false')
+
     def __init__(self):
         self._index = None
         self._last_index_update = 0

trac/wiki/formatter.py

@@ -83 +83 @@
         return html.PRE(text, class_="wiki")
 
     def _html_processor(self, req, text):
+        if WikiSystem(self.env).render_unsafe_content:
+            return Markup(text)
         from HTMLParser import HTMLParseError
         try:
             return Markup(text).sanitize()

[Christian Boos]

As it's for exactly the same purpose (i.e. rendering user provided HTML "as is"), I'd say it's OK to reuse the name.

OTOH, keeping two options is probably overkill in the longer run; we could think about centralizing that to [mimeview] render_unsafe_content, as I don't think there's much use to remove the protection for attachments and leave it for the wiki, or vice-versa.

Either way, as it's a ticket with small impact and already a patch, I think it's OK for 0.10.4.

[Matthew Good]

Alright, I'll add a docstring for the option and check that in.

[Matthew Good]

Ok, committed in r4472 and r4473.