View Issue Details

IDProjectCategoryView StatusLast Update
0016562mantisbttaggingpublic2020-09-21 08:23
Reporterdregad Assigned To 
PrioritylowSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version1.2.15 
Summary0016562: HTML in tag names should not be rendered
Description

Defining a tag as '<b>tagname</b>' actually displays it in bold.

It is confusing to user because another tag 'tagname' can be defined; they are both displayed as 'tagname' (one in bold, one not), but filtering on 'T' only displays the tag without HTML.

Additional Information

As discussed in http://thread.gmane.org/gmane.comp.bug-tracking.mantis.devel/4730

TagsNo tags attached.

Activities

dregad

dregad

2013-11-01 06:07

developer   ~0038412

I'm wondering if this is not by design after all.

It appears that we have the exact same behavior in many other places in the system, pretty much everywhere in fact, e.g. categories, project name, user realname, etc. as they are generally printed with string_display_line and therefore accept tags defined in $g_html_valid_tags_single_line.

Therefore I'm now thinking we should leave this as it is, and just merge the'<admincheck>' tag with the 'admincheck' one in this tracker.

Thoughts?

vboctor

vboctor

2013-11-03 15:02

manager   ~0038431

My feedback that I sent to the developers DL [1]:

I would suggest than we disallow such tags in entity names like projects, tags, users, etc. We should probably limit the names to include standard printable characters like alpha, digits, underscore, dash, dot, etc.

We should allow spaces, but disallow "some[space][space]x", i.e. replace N spaces with a single space, and trim left/right.

The question is what to do with the existing entities that may violate such rules. We could handle them as part of the upgrader, or just sanitize at print time and use some new string_display method.

[1] http://thread.gmane.org/gmane.comp.bug-tracking.mantis.devel/4730/focus=4733