search

mantisbt-plugins / Announce

Announcements plugin for MantisBT, lets privileged accounts create and post announcements that can be shown to users on a global or per-project basis, and allow users to dismiss individual messages.
MIT License
20 stars 14 forks source link

Text processing for display destroy A tag content #54

Closed jerome-dl closed 3 years ago

jerome-dl commented 4 years ago

Hi, It is allowed (and that's nice!) to enter some HTML tags in the text (and even in the title) of the announce we want to have displayed. However, trying to add a <a> tag, the result is modified and, especially, the text between <a> and </a> tags is lost. E.g.: <a href="https://***/workflow-mantis.png" target="_blank">Workflow</a> becomes <a href="https://***/workflow-mantis.png">https://***/workflow-mantis.png</a>

I know the target attribute is not officially supported by HTML5 (however widely used, still) so I may understand it remains filtered.

Kind regards, Jérôme

dregad commented 3 years ago

@jerome-dl the text processing is done via standard MantisBT API calls.

In this specific case, the plugin calls string_display_links(), which relies on the MantisCoreFormatting plugin. this process removes anchor tags for security reasons (preventing potential XSS attacks), using the string_strip_hrefs() function.