Opened 10 years ago

Closed 7 years ago

#2509 closed defect (fixed)

Creating diary entries with "foo <bar blah" as the content will be saved as "foo" with the rest silently dropped

Reported by: avar Owned by: rails-dev@…
Priority: minor Milestone:
Component: website Version:
Keywords: Cc:

Description

  1. Create a diary entry with "foo <bar blah" as the content
  2. Comment on it with the comment "foo <bar blah"

Both the content & the comment will be trimmed to "foo".

I just lost a diary comment because of this because I wrote the less-than sign in my text ("<5">). The HTML sanitizer shouldn't be so eager.

Change History (3)

comment:1 Changed 10 years ago by Tom Hughes

Priority: criticalminor

Diary entries are sanitised when they are displayed, not when they are entered, so the content in the database will be correct.

The sanitisation routines are part of rails, so there isn't a huge amount we can do about this very easily.

comment:2 Changed 8 years ago by Tom Hughes

Owner: changed from Tom Hughes to rails-dev@…

comment:3 Changed 7 years ago by Tom Hughes

Resolution: fixed
Status: newclosed

This should be fixed, as we now use Markdown for new diary entries.

Note: See TracTickets for help on using tickets.