View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0034018 | mantisbt | filters | public | 2024-03-11 10:05 | 2024-04-07 05:22 |
Reporter | nebjanim | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Product Version | 2.26.0 | ||||
Target Version | 2.26.2 | Fixed in Version | 2.26.2 | ||
Summary | 0034018: Filter "assigned to" and "monitor by" shows <br /> between the users when selecting multiple (advanced filtering) | ||||
Description | This issue was already reported in 0024899 and solved according to the entry in 2.18.1. But it still seems to be a problem. I have also compared with the latest version 2.27.0. There are no differences in the filter_form_api.php and MantisCoreFormatting.php compared to 2.26.0. Interestingly, the "Reporter" field works correctly. In the function print_filter_values_reporter_id there is only "echo $t_output;" as output. As a test, I changed in the function print_filter_values_handler_id the line "echo string_display( $t_output );" to "echo $t_output;". This solves the problem only for "Assigned to". Unfortunately, it is not clear to me why I cannot reproduce this issue in your system. Do you have any ideas? What else can I check? Many thanks in advance and sorry for the long text. I appreciate your help. | ||||
Tags | No tags attached. | ||||
Do you have any 3rd party plugins installed? |
|
This is the list of installed plugins: I use the setting "$g_show_realname = ON;". But setting this to "OFF" shows the same behaviour. The html code looks like shown below: |
|
I was not able to reproduce the issue using the given informaion. Did you run admin/check/index.php and fixed all errors and/or warnings? |
|
Are you sure your filter_fom_api.php has not been modified locally vs the original distribution file [1] ? |
|
Thank you for your quick response. I will answer your question as follows:
Admin_check.htm (12,022 bytes)
<!DOCTYPE html> <html><head> <meta http-equiv="Content-type" content="text/html; charset=UTF-8"> <title>MantisBT Administration - Check Installation - MantisBT</title> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"> <link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/default.css"> <link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/dropzone-5.5.0.min.css"> <link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/bootstrap-3.4.1.min.css"> <link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/font-awesome-4.7.0.min.css"> <link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/fonts.css"> <link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/bootstrap-datetimepicker-4.17.47.min.css"> <link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/ace.min.css"> <link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/ace-mantis.css"> <link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/ace-skins.min.css"> <link rel="shortcut icon" href="https://<deleted>/mantis/images/favicon.ico" type="image/x-icon"> <link rel="search" type="application/opensearchdescription+xml" title="MantisBT: Volltextsuche" href="https://<deleted>/mantis/browser_search_plugin.php?type=text"> <link rel="search" type="application/opensearchdescription+xml" title="MantisBT: Suche nach Eintrags-ID" href="https://<deleted>/mantis/browser_search_plugin.php?type=id"> <script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/javascript_config.php"></script> <script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/javascript_translations.php"></script> <script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/jquery-2.2.4.min.js"></script> <script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/dropzone-5.5.0.min.js"></script> <script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/common.js"></script> </head> <body class="skin-3"> <style> * { font-family: "Open Sans"; } h1, h2, h3, h4, h5 { font-family: "Open Sans"; } </style> <div id="navbar" class="navbar navbar-default navbar-collapse navbar-fixed-top noprint"><div id="navbar-container" class="navbar-container"><button id="menu-toggler" type="button" class="navbar-toggle menu-toggler pull-left hidden-lg hidden-md" data-target="#sidebar"><span class="sr-only">Toggle sidebar</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="navbar-header"><a href="https://<deleted>/mantis/my_view_page.php" class="navbar-brand"><span class="smaller-75"> MantisBT </span></a><button type="button" class="navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg" data-toggle="collapse" data-target=".navbar-buttons,.navbar-menu"><span class="sr-only">Toggle user menu</span></button></div><div class="navbar-buttons navbar-header navbar-collapse collapse"><ul class="nav ace-nav"></ul></div></div></div><div class="main-container" id="main-container" style="padding-top: 45px;"> <div class="space-10"></div> <ul class="nav nav-tabs padding-18"> <li><a href="https://<deleted>/mantis/admin/index.php"><i class="fa fa-info-circle blue ace-icon"></i></a></li> <li class="active"><a href="https://<deleted>/mantis/admin/check/index.php">Check Installation</a></li> <li><a href="https://<deleted>/mantis/admin/system_utils.php">System Utilities</a></li> <li><a href="https://<deleted>/mantis/admin/test_langs.php">Test Lang</a></li> <li><a href="https://<deleted>/mantis/admin/email_queue.php">Email Queue</a></li> </ul> <div class="col-md-12 col-xs-12"> <div class="space-10"></div> <div class="widget-box widget-color-blue2"> <div class="widget-header widget-header-small"> <h4 class="widget-title lighter"> Checking your MantisBT installation... </h4> </div> <div class="widget-body"> <div class="widget-toolbox padding-8 clearfix"> Verbosity: <a href="https://<deleted>/mantis/admin/check/index.php?show_all=1&show_errors=0">Show passed tests</a> | <a href="https://<deleted>/mantis/admin/check/index.php?show_all=0&show_errors=1">Show verbose error messages</a> </div> <div class="widget-main no-padding"> <div class="table-responsive"> <table class="table table-bordered table-condensed"> <tbody><tr> <td colspan="2" class="thead2"><strong>PHP</strong></td> </tr> <tr> <td>display_errors php.ini directive is disabled<br><em>For security reasons this directive should be disabled on all production and Internet facing servers.</em></td> <td class="alert alert-warning">WARN</td> </tr> <tr> <td>display_startup_errors php.ini directive is disabled<br><em>For security reasons this directive should be disabled on all production and Internet facing servers.</em></td> <td class="alert alert-warning">WARN</td> </tr> <tr> <td colspan="2" class="thead2"><strong>Database</strong></td> </tr> <tr> <td>MySQL Lifecycle and Release Support data availability<br><em>Release information for MySQL 10.1 series is not available, unable to perform the lifecycle checks.</em></td> <td class="alert alert-warning">WARN</td> </tr> <tr> <td colspan="2" class="thead2"><strong>Configuration</strong></td> </tr> <tr> <td colspan="2" class="thead2"><strong>Paths</strong></td> </tr> <tr> <td>core_path configuration option is set to a path outside the web root<br><em>For increased security it is recommended that you move the core_path directory outside the web root.</em></td> <td class="alert alert-warning">WARN</td> </tr> <tr> <td>class_path configuration option is set to a path outside the web root<br><em>For increased security it is recommended that you move the class_path directory outside the web root.</em></td> <td class="alert alert-warning">WARN</td> </tr> <tr> <td>library_path configuration option is set to a path outside the web root<br><em>For increased security it is recommended that you move the library_path directory outside the web root.</em></td> <td class="alert alert-warning">WARN</td> </tr> <tr> <td>config_path configuration option is set to a path outside the web root<br><em>For increased security it is recommended that you move the config_path directory outside the web root.</em></td> <td class="alert alert-warning">WARN</td> </tr> <tr> <td>language_path configuration option is set to a path outside the web root<br><em>For increased security it is recommended that you move the language_path directory outside the web root.</em></td> <td class="alert alert-warning">WARN</td> </tr> <tr> <td>Directory <em><a href="https://<deleted>/mantis/doc">doc</a></em> does not need to exist within the MantisBT root<br><em>The doc directory within the MantisBT root should be removed as it is not needed for the live operation of MantisBT.</em></td> <td class="alert alert-warning">WARN</td> </tr> <tr> <td colspan="2" class="thead2"><strong>Webservice</strong></td> </tr> <tr> <td>SOAP Extension Enabled<br><em>Enable the PHP SOAP extension.</em></td> <td class="alert alert-warning">WARN</td> </tr> <tr> <td colspan="2" class="thead2"><strong>Cryptography</strong></td> </tr> <tr> <td>login_method is set to MD5<br><em>MD5 password encryption is currently the strongest password storage method supported by MantisBT.</em></td> <td class="alert alert-warning">WARN</td> </tr> <tr> <td colspan="2" class="thead2"><strong>Internationalization</strong></td> </tr> <tr> <td colspan="2" class="thead2"><strong>Localization</strong></td> </tr> <tr> <td colspan="2" class="thead2"><strong>Email</strong></td> </tr> <tr> <td>All users must have an e-mail address<br><em>10 users without e-mail address found: <deleted> </a></em></td> <td class="alert alert-danger">FAIL</td> </tr> <tr> <td>There are no duplicate email addresses, regardless of case<br><em>9 duplicate e-mail addresses found: <deleted> </em></td> <td class="alert alert-warning">WARN</td> </tr> <tr> <td colspan="2" class="thead2"><strong>Anonymous access</strong></td> </tr> <tr> <td colspan="2" class="thead2"><strong>Attachments</strong></td> </tr> <tr> <td colspan="2" class="thead2"><strong>Display</strong></td> </tr> <tr> <td colspan="2" class="thead2"><strong>Custom Fields</strong></td> </tr> <tr> <td colspan="2" class="thead2"><strong>Plugins</strong></td> </tr> </tbody></table> </div> </div> </div> </div> <div class="space-10"></div> <div class="alert alert-danger" id="check-notice-failed"> Some tests failed. Please review, correct them and run the checks again before using MantisBT. </div> <div class="alert alert-danger" id="notice-delete-admin"> For security reasons, you should delete (or at least restrict access to) the <em>admin</em> directory. Refer to the <a href="http://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.install.postcommon"> MantisBT Admin Guide</a> for further details. </div> </div> <div class="clearfix"></div> <div class="space-20"></div> <div class="footer noprint"> <div class="footer-inner"> <div class="footer-content"> <div class="col-md-6 col-xs-12 no-padding"> <address> <strong>Powered by <a href="https://www.mantisbt.org/" title="bug tracking software">MantisBT 2.26.0</a></strong> <br> <small>Copyright © 2000 - 2024 MantisBT Team</small><br><small>Kontaktieren Sie den <a href="<deleted>" title="Den Webmaster per E-Mail kontaktieren.">Administrator</a> bei Problemen</small><br> </address> </div> <div class="col-md-6 col-xs-12"> <div class="pull-right" id="powered-by-mantisbt-logo"> <a href="https://www.mantisbt.org/" title="Mantis Bug Tracker: a free and open source web based bug tracking system."><img src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/mantis_logo.png" alt="Powered by Mantis Bug Tracker: a free and open source web based bug tracking system." width="102" height="35"></a> </div> </div> </div> </div> </div> <a class="btn-scroll-up btn btn-sm btn-inverse" id="btn-scroll-up" href="#"> <i class="fa fa-angle-double-up ace-icon icon-only bigger-110"></i> </a> </div> <script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/bootstrap-3.4.1.min.js"></script> <script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/moment-with-locales-2.29.4.min.js"></script> <script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/bootstrap-datetimepicker-4.17.47.min.js"></script> <script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/typeahead.jquery-1.3.0.min.js"></script> <script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/list-2.3.1.min.js"></script> <script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/ace.min.js"></script> </body></html> |
|
Can you add |
|
nebjanim, You did not provide any feedback; I am therefore resolving this issue as "unable to reproduce". Feel free to reopen the issue at a later time and provide the requested information. |
|
Sorry, I've been very busy the last few days. |
|
I believe I found the root cause. Did you change the default value for the following configs ? If so, please post the values (I suspect you have removed
|
|
Your assumption is correct. |
|
No it was not obvious at all. I ended up tracing through the code to see exactly what was happening, and it turns out that the final step of text processing in MantisCoreFormatting plugin (processText() method) calls string_restore_valid_html_tags(), which basically undoes the effect of earlier htmlspecialchars() for allowed tags. This explains why @atrol and I could not reproduce the problem, because we both tested with standard settings, and So now that the reason for the behavior has been clarified, I can confirm that the workaround you proposed initially
is correct. I will prepare a fix. |
|
I have implemented the changes. The problem is no longer repeatable. |
|
MantisBT: master-2.26 bcf62d6e 2024-03-27 08:10 Details Diff |
Don't call string_display() on already-escaped data This causes display of `<br />` tags on Advanced Filter form when multiple values for Assigned To and Monitored by when `br` is not allowed in $g_valid_html_tags. Fixes 0034018 |
Affected Issues 0034018 |
|
mod - core/filter_form_api.php | Diff File |