[Trac-tickets] [The Trac Project] #1019: Component names in tickets
not escaped properly
The Trac Project
noreply at edgewall.com
Fri Dec 3 13:32:39 EST 2004
#1019: Component names in tickets not escaped properly
---------------------------+------------------------------------------------
Id: 1019 | Status: new
Component: ticket system | Modified: Fri Dec 3 13:32:39 2004
Severity: minor | Milestone:
Priority: normal | Version: 0.8
Owner: jonas | Reporter: Steven N. Severinghaus <sns at severinghaus.org>
---------------------------+------------------------------------------------
The symptom is that when editing a ticket in Trac 0.8, an incorrect
component is selected. This happens when a component has a character (e.g.
>) in its name that needs to be escaped in HTML.
A possible fix might be to wrap the {{{ option.name }}} and {{{ $selected
}}} variables on line 4 of source:/trunk/templates/macros.cs in the
!ClearSilver [http://www.clearsilver.net/docs/man_filters.hdf html_escape]
function, so that boths sides of the equality test are escaped in the same
way. Unfortunately, my testing indicates that {{{ html_escape() }}} isn't
available, despite what the !ClearSilver docs suggest ("Unknown function
html_escape called").
Alternatively, we could escape the values in source:/trunk/trac/Ticket.py
(line 324) before they get put into the HDF. This might be more
appropriate, but would involve digging further into {{{ util.sql_to_hdf
}}} and so on.
--
Ticket URL: <http://projects.edgewall.com/trac/ticket/1019>
The Trac Project <>
More information about the Trac-Tickets
mailing list