Edgewall Software

Opened 18 years ago

Closed 18 years ago

Last modified 16 years ago

#743 closed defect (fixed)

New ticket screen does not escape entities in summary on preview

Reported by: anonymous Owned by: Christopher Lenz
Priority: low Milestone: 0.8
Component: ticket system Version: 0.7.1
Severity: minor Keywords: patch
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:


Steps to reproduce: Go to the "create new ticket" screen, enter the following in the Short Summary box:

This summary "contains quotes"

Then hit the preview button. The preview will come up with only "This summary" in the short summary field - everything including and after the first quote dissapears, because it is not being escaped as html entities before display.

Attachments (1)

modpython_escape.patch (685 bytes ) - added by Christopher Lenz 18 years ago.
Patch as described in previous comment

Download all attachments as: .zip

Change History (9)

comment:1 by Christopher Lenz, 18 years ago

Resolution: worksforme
Status: newclosed

Works for me in 0.8.

comment:2 by Christopher Lenz, 18 years ago

Resolution: worksforme
Status: closedreopened

Or not. Using ModPython the behavior is buggy as reported.

comment:3 by Christopher Lenz, 18 years ago

Owner: changed from Jonas Borgström to Christopher Lenz
Status: reopenednew

comment:4 by Christopher Lenz, 18 years ago

Status: newassigned

comment:5 by Christopher Lenz, 18 years ago

Milestone: 0.8

(sorry for the spam)

comment:6 by Christopher Lenz, 18 years ago

Keywords: patch added

The culprit here is the function util.escape(). It checks whether its argument is really of type StringType and only then performs the escaping. When running under ModPython however, parameter values retrieved from the FieldStorage are of type mod_python.util.StringField, and thus don't get escaped at all!

The following patch fixes the issue by converting any argument to a string first. I'd like to get some feedback on whether this change might introduce any regressions before checking it in. Jonas?

Index: trac/util.py
--- trac/util.py	(revision 1020)
+++ trac/util.py	(working copy)
@@ -65,12 +65,10 @@
     """Escapes &, <, > and \""""
     if not text:
         return ''
-    if type(text) is StringType:
-        text = text.replace('&', '&') \
-               .replace('<', '<') \
-               .replace('>', '>') \
-               .replace('"', '"')
-    return text
+    return str(text).replace('&', '&') \
+                    .replace('<', '<') \
+                    .replace('>', '>') \
+                    .replace('"', '"')
 def get_first_line(text, maxlen):

I'll also add the patch as attachment.

by Christopher Lenz, 18 years ago

Attachment: modpython_escape.patch added

Patch as described in previous comment

comment:7 by Jonas Borgström, 18 years ago

Good question, I can't remember exactly why it is this way. Your patch is definitely the way to go, and I think we have a good chance of detecting any regressions before the release if the patch is applied now.

comment:8 by Christopher Lenz, 18 years ago

Resolution: fixed
Status: assignedclosed

Fixed in [1027].

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Christopher Lenz.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Christopher Lenz to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.