View Issue Details

IDProjectCategoryView StatusLast Update
0016562mantisbttaggingpublic2020-09-21 08:23
Reporterdregad Assigned To 
Status newResolutionopen 
Product Version1.2.15 
Summary0016562: HTML in tag names should not be rendered

Defining a tag as '<b>tagname</b>' actually displays it in bold.

It is confusing to user because another tag 'tagname' can be defined; they are both displayed as 'tagname' (one in bold, one not), but filtering on 'T' only displays the tag without HTML.

Additional Information

As discussed in

TagsNo tags attached.




2013-11-01 06:07

developer   ~0038412

I'm wondering if this is not by design after all.

It appears that we have the exact same behavior in many other places in the system, pretty much everywhere in fact, e.g. categories, project name, user realname, etc. as they are generally printed with string_display_line and therefore accept tags defined in $g_html_valid_tags_single_line.

Therefore I'm now thinking we should leave this as it is, and just merge the'<admincheck>' tag with the 'admincheck' one in this tracker.




2013-11-03 15:02

manager   ~0038431

My feedback that I sent to the developers DL [1]:

I would suggest than we disallow such tags in entity names like projects, tags, users, etc. We should probably limit the names to include standard printable characters like alpha, digits, underscore, dash, dot, etc.

We should allow spaces, but disallow "some[space][space]x", i.e. replace N spaces with a single space, and trim left/right.

The question is what to do with the existing entities that may violate such rules. We could handle them as part of the upgrader, or just sanitize at print time and use some new string_display method.


Issue History

Date Modified Username Field Change
2013-10-31 20:30 dregad New Issue
2013-11-01 06:07 dregad Note Added: 0038412
2013-11-03 15:02 vboctor Note Added: 0038431