View Issue Details

IDProjectCategoryView StatusLast Update
0027099mantisbthtmlpublic2024-03-28 06:38
Reporterloris.nardo Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Product Version2.24.1 
Summary0027099: Inconsistent escape of html entities while editing an issue
Description

If the description of an issue contains raw html entities, they are transformed back into the equivalent characters during the edit of the issue.
This can cause the description message to change its meaning especially when the replaced html entities are the less than character and the ampersand character.

Steps To Reproduce
  1. Create an issue with the attached description
  2. See the resulting issue
  3. Open the edit view for the issue
  4. Note that the description text area has different content
  5. Save the issue
  6. Note that the description of the issue has changed, also note that the less than entity has been eagerly transformed into the less than character.

This assume a default configuration for MantisBT

TagsNo tags attached.
Attached Files
description_sample.txt (25 bytes)   
<b>test</b>
description_sample.txt (25 bytes)   

Relationships

related to 0008540 new & not escaped. 

Activities

hotzeplotz

hotzeplotz

2024-03-27 20:43

reporter   ~0068733

related to: 0008540

hotzeplotz

hotzeplotz

2024-03-28 06:36

reporter   ~0068736

Last edited: 2024-03-28 06:38

The content for the textarea (for editing) is processed in the same way as text for the output (for displaying).

string_api::string_textarea() calls string_api::string_html_specialchars()

return preg_replace( '/&(#[0-9]+|[a-z]+);/i', '&$1;', @htmlspecialchars( $p_string, ENT_COMPAT, 'utf-8' ) );

^ this code snippet is the perfect sample for this unwanted behaviour.

I think that both have a different scope. The text to be edited in the textarea should not be treated in any way (except for htmlspecialchars of course)

string_api::string_textarea() should simple

return @htmlspecialchars( $p_string, ENT_COMPAT, 'utf-8') );

The same applies to text fields. See 0008540.

But unlike string_textarea, which is clearly dedicated, the function string_attribute is not. It is used for the text that is displayed and for the text that is used in text fields.

Like string_textarea, it could be called string_text_field or something similar. One method for displaying and one for editing.

Or one for all string_to_be_used_in_a_form().

Of course, all this based on very less knowledge of all the MantisBT internals. The basic idea is something like: "No mixing of different purposes".