View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0016562||mantisbt||tagging||public||2013-10-31 20:30||2020-09-21 08:23|
|Summary||0016562: HTML in tag names should not be rendered|
Defining a tag as '<b>tagname</b>' actually displays it in bold.
It is confusing to user because another tag 'tagname' can be defined; they are both displayed as 'tagname' (one in bold, one not), but filtering on 'T' only displays the tag without HTML.
|Tags||No tags attached.|
I'm wondering if this is not by design after all.
It appears that we have the exact same behavior in many other places in the system, pretty much everywhere in fact, e.g. categories, project name, user realname, etc. as they are generally printed with string_display_line and therefore accept tags defined in $g_html_valid_tags_single_line.
Therefore I'm now thinking we should leave this as it is, and just merge the'<admincheck>' tag with the 'admincheck' one in this tracker.
My feedback that I sent to the developers DL :
I would suggest than we disallow such tags in entity names like projects, tags, users, etc. We should probably limit the names to include standard printable characters like alpha, digits, underscore, dash, dot, etc.
We should allow spaces, but disallow "some[space][space]x", i.e. replace N spaces with a single space, and trim left/right.
The question is what to do with the existing entities that may violate such rules. We could handle them as part of the upgrader, or just sanitize at print time and use some new string_display method.