Edgewall Software
Modify

Opened 18 years ago

Closed 18 years ago

#4419 closed defect (fixed)

rendering html content modifies it

Reported by: ittayd@… Owned by: Matthew Good
Priority: normal Milestone: 0.10.4
Component: general Version: 0.10.3
Severity: normal Keywords: mimeview html
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

writing:

{{{
#!html
<script>if i < 1 {alert(hi);}</script>
}}}

is rendered as

<script>if i &lt; 1 {alert(hi);}</script>

Attachments (0)

Change History (9)

comment:1 by Tim Hatch, 18 years ago

Perhaps I'm misunderstanding the issue, but that slight change is what I would expect for being displayed in an xhtml page. '<' is not allowed as a bare character and must be escaped as '&lt'. Does this keep your script from working?

comment:2 by anonymous, 18 years ago

yes. javascript text is not supposed to be escaped.

i think the best way to close this, and #4418 is to provide an unsafe_html processor. i did it in my installation:

from trac.wiki.macros import WikiMacroBase
from trac.util.html import escape, Markup, Element, html

class unsafe_html(WikiMacroBase):
        def render_macro(self, req, name, text):
                from HTMLParser import HTMLParseError
                try:
                    return Markup(text)
                except HTMLParseError, e:
                    self.env.log.warn(e)
                    return system_message('HTML parsing error: %s' % escape(e.msg),
                                  text.splitlines()[e.lineno - 1].strip())

comment:3 by ittayd@…, 18 years ago

this is totally of topic here, but how can i register? i'm tired of forgetting to put in my email each time

comment:4 by Tim Hatch, 18 years ago

To remember your email: go to "Settings" and it'll save it in a cookie.

Allowing the < to go through without escaping is not allowed and will probably break the well-formedness of the document. We could wrap the script contents in a CDATA block if necessary to allow such characters.

However, I am not able to reproduce this on trunk. I think that script elements are being completely removed since the Genshi merge. This ticket needs a second opinion from the other developers on whether script elements are supposed to be allowed under even 0.10.x.

comment:5 by Tim Hatch, 18 years ago

Oops. You already performed the hack in #4418 to make them display. I'm still waking up.

comment:6 by Matthew Good, 18 years ago

Adding an option would probably be easier for users than a separate processor, both for enabling/disabling and using in the Wiki. This adds [wiki] render_unsafe_content, though I'm not sure if using the same name as the option from the [attachment] section is good or will cause confusion.

  • trac/wiki/api.py

     
    121121        """Enable/disable splitting the WikiPageNames with space characters
    122122        (''since 0.10'').""")
    123123
     124    render_unsafe_content = BoolOption('wiki', 'render_unsafe_content', 'false')
     125
    124126    def __init__(self):
    125127        self._index = None
    126128        self._last_index_update = 0
  • trac/wiki/formatter.py

     
    8383        return html.PRE(text, class_="wiki")
    8484
    8585    def _html_processor(self, req, text):
     86        if WikiSystem(self.env).render_unsafe_content:
     87            return Markup(text)
    8688        from HTMLParser import HTMLParseError
    8789        try:
    8890            return Markup(text).sanitize()

comment:7 by Christian Boos, 18 years ago

Keywords: mimeview html added
Milestone: 0.10.4

As it's for exactly the same purpose (i.e. rendering user provided HTML "as is"), I'd say it's OK to reuse the name.

OTOH, keeping two options is probably overkill in the longer run; we could think about centralizing that to [mimeview] render_unsafe_content, as I don't think there's much use to remove the protection for attachments and leave it for the wiki, or vice-versa.

Either way, as it's a ticket with small impact and already a patch, I think it's OK for 0.10.4.

comment:8 by Matthew Good, 18 years ago

Owner: changed from Jonas Borgström to Matthew Good
Status: newassigned

Alright, I'll add a docstring for the option and check that in.

comment:9 by Matthew Good, 18 years ago

Resolution: fixed
Status: assignedclosed

Ok, committed in r4472 and r4473.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Matthew Good.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Matthew Good to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.