Modify ↓
Opened 20 years ago
Closed 20 years ago
#885 closed defect (fixed)
escape title attribute on changeset links
Reported by: | Matthew Good <matt-good.net> | Owned by: | Jonas Borgström |
---|---|---|---|
Priority: | normal | Milestone: | 0.8 |
Component: | general | Version: | devel |
Severity: | normal | Keywords: | |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
On Trac Wiki links to changeset, the message is placed in the title attribute of the link, but special HTML characters are not escaped. I noticed this in the RSS from the timeline, though this occurs in the HTML as well.
<item> <pubDate>Thu, 04 Nov 2004 21:11:00 GMT</pubDate> <title>Ticket #878 resolved: Fixed in [1017].</title> <link>http://projects.edgewall.com/trac/ticket/878</link> <description><p> Fixed in [<a title=" * Only enable the resolution <select> if "closed" is the only/first ..." href="http://projects.edgewall.com/trac/changeset/1017">1017</a>]. </p> </description> <category>Ticket</category> </item>
Attachments (0)
Note:
See TracTickets
for help on using tickets.
Ok, let's try something different as Trac decided to screw that up and not escape the
&
on the HTML entities.Here's some HTML from the timeline:
Note that the < > and " characters in the title text aren't escaped.