Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002011Core InformIndexingpublic2017-04-18 16:042017-04-19 01:52
Reporterprevtenet 
Assigned To 
PrioritylowSeveritymildReproducibilityalways
StatusconfirmedResolutionopen 
Platformx86_64OSWindowsOS Version10
Product Version6M62 
Target VersionFixed in Version 
Summary0002011: HTML entities in source code are not sanitized in error messages
DescriptionThe IDE does not sanitize HTML entities in text quoted in error messages. This is very rarely a problem, but it might occasionally cause trouble for people working on hybrid I7/web works where quoted text contains HTML or Javascript intended to be piped to the browser.

(I have only tested this on the Windows IDE, but it may also occur on other platforms.)
Minimal Source Text To Reproduce
Tim's Lab is a room. "Tim sits here, presiding magisterially over his creation"

When play begins: do nothing.
TagsNo tags attached.
Effect(cosmetic) Index is created incorrectly
Attached Files

- Relationships

-  Notes
(0004679)
prevtenet (reporter)
2017-04-18 16:06
edited on: 2017-04-18 16:07

Whoops, the "Tim sits here" text in the example is meant to be surrounded by HTML bold tags < b >. Also, there's not meant to be a line break between the two lines, so it throws an error.

(0004680)
zarf (developer)
2017-04-18 20:54

Confirmed. This is a core compiler bug, not an IDE bug. The compiler generates Build/Problems.html in the project file, and the escaping needs to happen there.
(0004681)
zarf (developer)
2017-04-18 20:58
edited on: 2017-04-18 20:58

Weirdly, the compiler *does* escape the tags "p" and "div", but not "b" or "i". (Angle brackets omitted because the bug tracker doesn't escape them either!)


- Issue History
Date Modified Username Field Change
2017-04-18 16:04 prevtenet New Issue
2017-04-18 16:06 prevtenet Note Added: 0004679
2017-04-18 16:07 prevtenet Note Edited: 0004679 View Revisions
2017-04-18 20:52 zarf Steps to Reproduce Updated View Revisions
2017-04-18 20:53 zarf Steps to Reproduce Updated View Revisions
2017-04-18 20:54 zarf Note Added: 0004680
2017-04-18 20:54 zarf Status new => confirmed
2017-04-18 20:58 zarf Note Added: 0004681
2017-04-18 20:58 zarf Note Edited: 0004681 View Revisions
2017-04-18 20:58 zarf Note Edited: 0004681 View Revisions
2017-04-19 01:48 DavidK Project All Inform front-end applications => Core Inform
2017-04-19 01:49 DavidK Effect => (cosmetic) Index is created incorrectly
2017-04-19 01:49 DavidK Category User Interface => Indexing
2017-04-19 01:49 DavidK Steps to Reproduce Updated View Revisions
2017-04-19 01:52 DavidK Summary IDE does not sanitize HTML entities in error messages => HTML entities in source code are not sanitized in error messages


Copyright © 2000 - 2010 MantisBT Group
Powered by Mantis Bugtracker