View Issue Details

IDProjectCategoryView StatusLast Update
0024233mantisbtmarkdownpublic2018-04-29 19:21
Reporterj_schultz Assigned Toatrol  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.12.1 
Target Version2.13.2Fixed in Version2.13.2 
Summary0024233: Markdown quoting rendered with broken HTML
Description

Using markdown quotes in generates broken HTML output in Mantis 2.13. It looked okay in Mantis 2.12.
I thought it might be because we added blockquote to $g_html_valid_tags but even after removing it again, it still renders improperly.

Steps To Reproduce

This is a test.

Test.

TagsNo tags attached.
Attached Files

Relationships

related to 0024202 closedatrol Broken rendering of @ mentions, # issue and ~ note links 
related to 0024186 closeddregad CVE-2018-1000162: XSS vulnerability in Parsedown library 
related to 0024241 assigneddregad $g_html_valid_tags are not rendered if Markdown is enabled 
related to 0024240 closeddregad XML in Markdown Code ist not rendered correct 
related to 0022190 closedcommunity Markdown markup should be done with CSS classes, not inline styles 

Activities

j_schultz

j_schultz

2018-04-06 15:33

reporter   ~0059454

Okay so the problem does not appear to happen here for some reason... The generated HTML looks like this on my Mantis instance:

<blockquote style="padding:0.13em 1em;color:<a href=" view.php?id="777"" title="[assigned] (title of issue 777)">0000777;border-left:0.25em solid #C0C0C0;font-size:13px;">
<p>(content)</p>
&lt;/blockquote>
j_schultz

j_schultz

2018-04-06 15:34

reporter   ~0059455

And apparently quoting HTML inside markdown makes it even more broken, so I guess I'll have to resort to a screenshot instead:

html.png (6,468 bytes)   
html.png (6,468 bytes)   
atrol

atrol

2018-04-08 12:06

developer   ~0059458

Okay so the problem does not appear to happen here for some reason

Same on my test system using version 2.13.1 and Markdown enabled.
I am not able to reproduce the issue.

Maybe you have installed some 3rd party plugins or changed original source of Mantis?

j_schultz

j_schultz

2018-04-08 13:54

reporter   ~0059459

I re-downloaded the mantis 2.13.1 zip just to be sure, and disabled my self-written plugin just to be sure, but no change in output.

ajtruckle

ajtruckle

2018-04-08 13:58

reporter   ~0059460

This is happening to me too. I started a discussion here:

https://mantisbt.org/forums/viewtopic.php?f=2&amp;t=25469

It was not like this with the last version I was using 2.12.0 so it is not caused by plugins.

For me, it seems that the quotes and the left chevron are not displaying right.

j_schultz

j_schultz

2018-04-08 14:01

reporter   ~0059461

I'm running PHP 5.6 on Debian Jessie, in case that might make a difference.

j_schultz

j_schultz

2018-04-08 14:02

reporter   ~0059462

It also seems like html tags are not rendered at all even when they are whitelisted.

ajtruckle

ajtruckle

2018-04-08 14:08

reporter   ~0059463

I'm running PHP 5.6 on Debian Jessie, in case that might make a difference.

My site is hosted with one.com and it too is using PHP 5.6. Eitherway the rendering was fine with version 2.12.0 and now with 2.13.1 it is not so something has to have changed somewhere.

j_schultz

j_schultz

2018-04-08 14:15

reporter   ~0059464

My local XAMPP with exactly the same Mantis install but PHP 7 doesn't seem to have the Markdown problem; but this instance, too, does not render any of the $g_html_valid_tags.

ajtruckle

ajtruckle

2018-04-08 14:38

reporter   ~0059465

I just updated my domain to PHP 7 (about 20 minutes ago) but no joy ...

j_schultz

j_schultz

2018-04-08 15:00

reporter   ~0059466

I think there are two (possibly related) issues: The first one that misrenders blockquotes, and the one that turns < and & into their HTML entities; the first issue might be resolved by upgrading to PHP7, the second does not (see also my first comment above, it still has the issue even here on the issue tracker.)

atrol

atrol

2018-04-08 15:14

developer   ~0059467

The first one that misrenders blockquotes
the first issue might be resolved by upgrading to PHP7

I am not able to reproduce using PHP 5.6.32

and the one that turns < and & into their HTML entities

Confirmed

does not render any of the $g_html_valid_tags

Confirmed

j_schultz

j_schultz

2018-04-08 15:18

reporter   ~0059468

@atrol Do you have any suggestions how I could possibly debug the blockquote issue? As said the source code is not modified, and disabling my self-written plugin does not fix it, and removing most of my config_inc.php also does not help. So I wonder which remaining variables there are that could influence this behaviour...

j_schultz

j_schultz

2018-04-08 16:11

reporter   ~0059469

Another update: I imported my live database into the XAMPP installation. Now both the files and the database match, and I have the same blockquote rendering issue on both systems. So it must be a database value that's causing the issue...?

j_schultz

j_schultz

2018-04-08 16:19

reporter   ~0059470

Duh... It's more simple than I thought: My previous test install didn't have issue #777. And on this very instance of MantisBT, issue #777 seems to be missing as well. If your own test install also doesn't have issue #777, you will also not see the issue. So to reproduce the issue, you need an installation where issue #777 exists.

j_schultz

j_schultz

2018-04-08 16:20

reporter   ~0059471

Notice how #777 is not turned into a clickable link in my previous comment; this is why it works on this issue tracker. But if issue #777 existed, I am sure the blockquote bug would also show up here.

atrol

atrol

2018-04-08 16:58

developer   ~0059472

But if issue #777 existed, I am sure the blockquote bug would also show up here.

Confirmed

atrol

atrol

2018-04-08 17:19

developer   ~0059473

Last edited: 2018-04-08 17:58

Sorry to say, there is no quick solution for that, as there is a conceptual problem.

I recommend to go on using 2.12.0 until there is a fix for it.

ajtruckle

ajtruckle

2018-04-08 22:41

reporter   ~0059474

But what about my database? I alas did not back it up although I can request a image restore from my host. Can I use current database and just rename my path to previous version?

atrol

atrol

2018-04-09 00:36

developer   ~0059475

Can I use current database and just rename my path to previous version?

No worries, you can.
Database is not affected.

atrol

atrol

2018-04-09 02:38

developer   ~0059476

Last edited: 2018-04-09 02:39

@j_schultz if you want to go on using 2.13.1, as a workaround for the blockquote issue, change the following line (should be 172) in plugins/MantisCoreFormatting/core/MantisMarkdown.php from

            $block['element']['attributes']['style'] = 'padding:0.13em 1em;color:#777;border-left:0.25em solid #C0C0C0;font-size:13px;';

to

            $block['element']['attributes']['style'] = 'padding:0.13em 1em;color:#777777;border-left:0.25em solid #C0C0C0;font-size:13px;';
ajtruckle

ajtruckle

2018-04-09 03:29

reporter   ~0059477

@atrol wrote:

No worries, you can.
Database is not affected.

Thanks. I have reverted to 2.12.0 until I hear otherwise.

dregad

dregad

2018-04-09 04:24

developer   ~0059478

Thanks. I have reverted to 2.12.0 until I hear otherwise.

Just be aware of the XSS vulnerability fixed by 0024186 - you may want to consider temporarily disabling markdown.

ajtruckle

ajtruckle

2018-04-09 05:12

reporter   ~0059481

@dregad But for how long?

ajtruckle

ajtruckle

2018-04-09 05:17

reporter   ~0059482

If I disable markdown then I just as well use 2.13.1 :)

ajtruckle

ajtruckle

2018-04-09 05:25

reporter   ~0059483

Why can't I edit my notes here?

I get access denied when I try to view: https://www.mantisbt.org/bugs/view.php?id=24186

dregad

dregad

2018-04-09 06:38

developer   ~0059485

I get access denied when I try to view: 0024186

Apologies, I forgot to set it to public after 2.12.1 was released. Fixed now.

If I disable markdown then I just as well use 2.13.1 :)

That was the idea ;-)

But for how long?

Unfortunately I lost my crystal ball, so I can't tell... But considering the severity of this issue, I hope we can fix it quickly.

Why can't I edit my notes here?

We use the default setting for _update_bugnotethreshold... I guess it would make sense to change it to REPORTER.

ajtruckle

ajtruckle

2018-04-09 06:47

reporter   ~0059486

Apologies, I forgot to set it to public after 2.12.1 was released. Fixed now.

Thanks.

That was the idea ;-)

I have reverted to 2.13.1 so how do I temporarly disable markdown? I also have two plugins

  • Markdown Editor
  • Markdown Preview
dregad

dregad

2018-04-09 10:14

developer   ~0059488

how do I temporarly disable markdown

Just go to Manage / Plugins / MantisBT Formatting and set Markdown Processing to Off.

As for the other plugins, I don't use them so I don't know for sure, but you should be able to simply Uninstall them.

ajtruckle

ajtruckle

2018-04-09 10:21

reporter   ~0059490

OK, well, I have switched if off and uninstalled the plugins. Understandably I would like to switch it back on as soon as possible as many of the issues look "ugly" noew with all the raw markdown.

dregad

dregad

2018-04-09 11:25

developer   ~0059491

I agree that it's ugly, but probably better than having a gaping XSS security hole ;-)

We'll do our best to fix it quickly

atrol

atrol

2018-04-09 17:22

developer   ~0059499

Set Version to 2.12.1 as this is the version where the issues are introduced.

ajtruckle

ajtruckle

2018-04-09 17:30

reporter   ~0059503

You want me to download 2.12.1 and stick with that (with markdown disabled)?

atrol

atrol

2018-04-09 17:35

developer   ~0059504

Last edited: 2018-04-09 17:54

Created 0024241 to follow up the 0024233:0059464 $g_html_valid_tags issue.

The HTML rendering issue 0024233:0059455 should be covered by 0024240.

So let's use this issue just to track the quote issue which is reproducible if issue with number 777 does exist.

atrol

atrol

2018-04-09 17:38

developer   ~0059505

You want me to download 2.12.1 and stick with that (with markdown disabled)?

No, 2.12.1 is bad and 2.13.1 is also bad in terms of Markdown.

atrol

atrol

2018-04-11 04:28

developer   ~0059525

PR https://github.com/mantisbt/mantisbt/pull/1331

Related Changesets

MantisBT: master-2.13 88913cb3

2018-04-11 00:13

atrol


Details Diff
Use rgb color values for Markdown quote styling

Workaround as using hex values for colors starting with # introduces
unwanted side effects.

Fixes 0024233
Affected Issues
0024233
mod - plugins/MantisCoreFormatting/core/MantisMarkdown.php Diff File