Modify

Opened 6 years ago

Closed 5 years ago

#9444 closed defect (fixed)

[Patch] Quotes in the summary have backslashes added

Reported by: Ryan J Ollos Owned by: Chris Nelson
Priority: normal Component: TracJsGanttPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

If the summary contains quotes, backslashes are added. For example, this ticket has the summary Develop the "Freeze Display" feature of the system:

Attachments (1)

SummaryWithQuotes.png (10.0 KB) - added by Ryan J Ollos 6 years ago.

Download all attachments as: .zip

Change History (9)

Changed 6 years ago by Ryan J Ollos

Attachment: SummaryWithQuotes.png added

comment:1 Changed 6 years ago by Chris Nelson

Is this new behavior since the change to using javascript_quote()?

comment:2 in reply to:  1 Changed 6 years ago by Ryan J Ollos

Summary: Quotes in the summary have backslashes added[Patch] Quotes in the summary have backslashes added

Replying to ChrisNelson:

Is this new behavior since the change to using javascript_quote()?

Yeah, this is tested with r10837. The issue is that javascript_quote is being executed twice on the items that build up the name string. Here is a patch:

  • 0.11/tracjsgantt/tracjsgantt.py

     
    940944                   (ticket['id'], javascript_quote(ticket['summary']),
    941945                    javascript_quote(ticket['status']),
    942946                    javascript_quote(ticket['type']))
    943         task += 't = new JSGantt.TaskItem(%d,"%s",' % (ticket['id'], javascript_quote(name))
     947        task += 't = new JSGantt.TaskItem(%d,"%s",' % (ticket['id'], name)
    944948
    945949        # pStart, pEnd
    946950        task += '"%s",' % ticket['calc_start'].strftime(self.pyDateFormat)

A second way to fix it would be to just escape the name string after it is created, which might make it more obvious that the string being executed as javascript is properly escaped.

  • 0.11/tracjsgantt/tracjsgantt.py

     
    931935        if ticket['type'] == self.milestoneType:
    932936            if ticket['id'] < self.firstMilestoneID:
    933937                # Put ID number on inchpebbles
    934                 name = 'MS:%s (#%s)' % (javascript_quote(ticket['summary']), ticket['id'])
     938                name = 'MS:%s (#%s)' % (ticket['summary'], ticket['id'])
    935939            else:
    936940                # Don't show bogus ID of milestone pseudo tickets.
    937941                name = 'MS:%s' % ticket['summary']
    938942        else:
    939943            name = "#%d:%s (%s %s)" % \
    940                    (ticket['id'], javascript_quote(ticket['summary']),
    941                     javascript_quote(ticket['status']),
    942                     javascript_quote(ticket['type']))
     944                   (ticket['id'], ticket['summary'], ticket['status'],  ticket['type'])
    943945        task += 't = new JSGantt.TaskItem(%d,"%s",' % (ticket['id'], javascript_quote(name))
    944946
    945947        # pStart, pEnd

If you go with the first patch, you'll probably also want to fix this missing javascript_quote call (which is fixed implicitly by the second patch):

  • 0.11/tracjsgantt/tracjsgantt.py

     
    934938                name = 'MS:%s (#%s)' % (javascript_quote(ticket['summary']), ticket['id'])
    935939            else:
    936940                # Don't show bogus ID of milestone pseudo tickets.
    937                 name = 'MS:%s' % ticket['summary']
     941                name = 'MS:%s' % javascript_quote(ticket['summary'])
    938942        else:
    939943            name = "#%d:%s (%s %s)" % \
    940944                   (ticket['id'], javascript_quote(ticket['summary']),

comment:3 Changed 5 years ago by anonymous

Owner: changed from Chris Nelson to anonymous
Status: newassigned

comment:4 Changed 5 years ago by Chris Nelson

Owner: changed from anonymous to Chris Nelson
Status: assignednew

comment:5 Changed 5 years ago by Chris Nelson

(In [10860]) Only protect strings once. Refs #9444.

The parts of the task name were processed with javascript_quote() then the name was processed, too. This resulted in things like '\"' showing up in the chart if there were quotes in tickets summaries.

comment:6 Changed 5 years ago by Chris Nelson

(In [10861]) Minor white space clean up. Refs #9444.

comment:7 Changed 5 years ago by Chris Nelson

Status: newassigned

comment:8 Changed 5 years ago by Ryan J Ollos

Resolution: fixed
Status: assignedclosed

I've tested at r10876 and I'm seeing that this issue is resolved.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Chris Nelson.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.