Okay so the problem does not appear to happen here for some reason... The generated HTML looks like this on my Mantis instance:

<blockquote style="padding:0.13em 1em;color:<a href=" view.php?id="777"" title="[assigned] (title of issue 777)">0000777;border-left:0.25em solid #C0C0C0;font-size:13px;">
<p>(content)</p>
&lt;/blockquote>

And apparently quoting HTML inside markdown makes it even more broken, so I guess I'll have to resort to a screenshot instead:

html.png (6,468 bytes)   

html.png (6,468 bytes)   

Okay so the problem does not appear to happen here for some reason

Same on my test system using version 2.13.1 and Markdown enabled.
I am not able to reproduce the issue.

Maybe you have installed some 3rd party plugins or changed original source of Mantis?

I re-downloaded the mantis 2.13.1 zip just to be sure, and disabled my self-written plugin just to be sure, but no change in output.

This is happening to me too. I started a discussion here:

https://mantisbt.org/forums/viewtopic.php?f=2&t=25469

It was not like this with the last version I was using 2.12.0 so it is not caused by plugins.

For me, it seems that the quotes and the left chevron are not displaying right.

I'm running PHP 5.6 on Debian Jessie, in case that might make a difference.

It also seems like html tags are not rendered at all even when they are whitelisted.

I'm running PHP 5.6 on Debian Jessie, in case that might make a difference.

My site is hosted with one.com and it too is using PHP 5.6. Eitherway the rendering was fine with version 2.12.0 and now with 2.13.1 it is not so something has to have changed somewhere.

My local XAMPP with exactly the same Mantis install but PHP 7 doesn't seem to have the Markdown problem; but this instance, too, does not render any of the $g_html_valid_tags.

I just updated my domain to PHP 7 (about 20 minutes ago) but no joy ...

I think there are two (possibly related) issues: The first one that misrenders blockquotes, and the one that turns < and & into their HTML entities; the first issue might be resolved by upgrading to PHP7, the second does not (see also my first comment above, it still has the issue even here on the issue tracker.)

The first one that misrenders blockquotes
the first issue might be resolved by upgrading to PHP7

I am not able to reproduce using PHP 5.6.32

and the one that turns < and & into their HTML entities

Confirmed

does not render any of the $g_html_valid_tags

Confirmed

@atrol Do you have any suggestions how I could possibly debug the blockquote issue? As said the source code is not modified, and disabling my self-written plugin does not fix it, and removing most of my config_inc.php also does not help. So I wonder which remaining variables there are that could influence this behaviour...

Another update: I imported my live database into the XAMPP installation. Now both the files and the database match, and I have the same blockquote rendering issue on both systems. So it must be a database value that's causing the issue...?

Duh... It's more simple than I thought: My previous test install didn't have issue #777. And on this very instance of MantisBT, issue #777 seems to be missing as well. If your own test install also doesn't have issue #777, you will also not see the issue. So to reproduce the issue, you need an installation where issue #777 exists.

Notice how #777 is not turned into a clickable link in my previous comment; this is why it works on this issue tracker. But if issue #777 existed, I am sure the blockquote bug would also show up here.

But if issue #777 existed, I am sure the blockquote bug would also show up here.

Confirmed

Sorry to say, there is no quick solution for that, as there is a conceptual problem.

I recommend to go on using 2.12.0 until there is a fix for it.

But what about my database? I alas did not back it up although I can request a image restore from my host. Can I use current database and just rename my path to previous version?

Can I use current database and just rename my path to previous version?

No worries, you can.
Database is not affected.

@j_schultz if you want to go on using 2.13.1, as a workaround for the blockquote issue, change the following line (should be 172) in plugins/MantisCoreFormatting/core/MantisMarkdown.php from

            $block['element']['attributes']['style'] = 'padding:0.13em 1em;color:#777;border-left:0.25em solid #C0C0C0;font-size:13px;';

to

            $block['element']['attributes']['style'] = 'padding:0.13em 1em;color:#777777;border-left:0.25em solid #C0C0C0;font-size:13px;';

@atrol wrote:

No worries, you can.
Database is not affected.

Thanks. I have reverted to 2.12.0 until I hear otherwise.

Thanks. I have reverted to 2.12.0 until I hear otherwise.

Just be aware of the XSS vulnerability fixed by 0024186 - you may want to consider temporarily disabling markdown.

@dregad But for how long?

If I disable markdown then I just as well use 2.13.1 :)

Why can't I edit my notes here?

I get access denied when I try to view: https://www.mantisbt.org/bugs/view.php?id=24186

I get access denied when I try to view: 0024186

Apologies, I forgot to set it to public after 2.12.1 was released. Fixed now.

If I disable markdown then I just as well use 2.13.1 :)

That was the idea ;-)

But for how long?

Unfortunately I lost my crystal ball, so I can't tell... But considering the severity of this issue, I hope we can fix it quickly.

Why can't I edit my notes here?

We use the default setting for _update_bugnotethreshold... I guess it would make sense to change it to REPORTER.

Apologies, I forgot to set it to public after 2.12.1 was released. Fixed now.

Thanks.

That was the idea ;-)

I have reverted to 2.13.1 so how do I temporarly disable markdown? I also have two plugins

• Markdown Editor
• Markdown Preview

how do I temporarly disable markdown

Just go to Manage / Plugins / MantisBT Formatting and set Markdown Processing to Off.

As for the other plugins, I don't use them so I don't know for sure, but you should be able to simply Uninstall them.

OK, well, I have switched if off and uninstalled the plugins. Understandably I would like to switch it back on as soon as possible as many of the issues look "ugly" noew with all the raw markdown.

I agree that it's ugly, but probably better than having a gaping XSS security hole ;-)

We'll do our best to fix it quickly

Set Version to 2.12.1 as this is the version where the issues are introduced.

You want me to download 2.12.1 and stick with that (with markdown disabled)?

Created 0024241 to follow up the 0024233:0059464 $g_html_valid_tags issue.

The HTML rendering issue 0024233:0059455 should be covered by 0024240.

So let's use this issue just to track the quote issue which is reproducible if issue with number 777 does exist.

You want me to download 2.12.1 and stick with that (with markdown disabled)?

No, 2.12.1 is bad and 2.13.1 is also bad in terms of Markdown.

PR https://github.com/mantisbt/mantisbt/pull/1331