hg4793:d9e5539303bd when creating or changing an issue, the change notice 
contains brackets or other markup.

E.g. on Firefox 21: "['msg 2 createdissue 1 status, messages edited ok'] "
for rekonq 2.1.3 (using webkit) there is an additional "\n" in between.
See screenshot.

Does this only apply to the demo tracker or are you seeing this for the
standard templates? Since the recent XSS fix did some changes in this
area, can you re-evaluate if this still happens for you?

Thanks
Ralf

I am a little lost here.  It looks like the url is properly escaped.  
This is the url I see when I add an issue -

http://localhost:8917/demo/issue1?
@ok_message=msg%201%20created%0Aissue%201%20created&@template=item

Is this xss?  Are we saying that the ok_message should be plain text?  
The URL remains same, irrespective of the template we use.

My test was with the demo tracker, 
because I haven't set up a real tracker.
I wonder why there should be a difference?

On Wed, Apr 02, 2014 at 06:59:01AM +0000, Pradip Caulagi wrote:
> 
> Pradip Caulagi added the comment:
> 
> I am a little lost here.  It looks like the url is properly escaped.  
> This is the url I see when I add an issue -
> 
> http://localhost:8917/demo/issue1?
> @ok_message=msg%201%20created%0Aissue%201%20created&@template=item
> 
> Is this xss?  Are we saying that the ok_message should be plain text?  
> The URL remains same, irrespective of the template we use.

No this per-se isn't xss. If you insert html into the url, e.g.

...
@ok_message=msg%201%20<i>created</i>%0Aissue%201%20created&@template=item

The <i> and </i> should be escaped, the message should *not* appear in
italics. This -- at least my test say -- is handled correctly.

But the demo tracker seems to show funny messages which the 'classic'
tracker displays properly. The example above (with the escaped html
markup in my example) shows two messages in green on the classic
tracker:

        msg 1 <i>created</i>
        issue 1 created
Plus the
        clear this message 
link.

So my attempt here was to try to find out why this is failing for some
people.

Ralf
-- 
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: office@runtux.com
allmenda.com member                     email: rsc@allmenda.com

On Wed, Apr 02, 2014 at 09:49:41AM +0000, Bernhard Reiter wrote:
> 
> Bernhard Reiter added the comment:
> 
> My test was with the demo tracker, 
> because I haven't set up a real tracker.
> I wonder why there should be a difference?

There *shouldn't* be a difference. But with the latest version I'm
unable to reproduce your problem with the classic tracker. Haven't tried
yet with demo. But if you're faster than me trying this out and report
back this would be nice :-)

Ralf

Tried to recreate the problem:
with rev4891:ad3d628e73f2
python demo.py -t responsive nuke

The message creating and changing an issue displays as expected.

tested with iceweasel 28.0
and Rekonq: 2.4.2

On Sat, Apr 26, 2014 at 08:29:12PM +0000, Bernhard Reiter wrote:
> 
> Bernhard Reiter added the comment:
> 
> Tried to recreate the problem:
> with rev4891:ad3d628e73f2
> python demo.py -t responsive nuke
> 
> The message creating and changing an issue displays as expected.

Thanks!

Ralf