When a comment changes the project of a case, the module generates two links leading to the old and the new project. Later on these HTML links are run through check_plain() via t('...@new...'), so they will not be clickable, since the <a href> will be fed to the browser as &lt;a href&gt; - in other words, check_plain() is called too later in this case.

CommentFileSizeAuthor
#8 casetracker-839926-8.patch1023 bytesDavid Goode
#1 casetracker-839926-1.patch2.49 KBboobaa

Comments

boobaa’s picture

boobaa
he/him
commented
StatusFileSize
new casetracker-839926-1.patch2.49 KB

And here's a patch that solves it.

boobaa’s picture

boobaa
he/him
commented
Status: Active » Needs review

Oh, somebody please give it a review.

cyu’s picture

cyu commented

Ran across this problem as well after a recent upgrade to latest Open Atrium code. You can see the issue in action at their site right now too, https://community.openatrium.com/issues/node/70#comment-1284

Applied your patch and everything is working fine. Code appears to still perform all the needed check_plain calls to keep things secure.

boobaa’s picture

boobaa
he/him
commented

I wouldn't set my own patch to RTBC, but this asks for it.

zserno’s picture

zserno commented
Status: Needs review » Reviewed & tested by the community

Patch from #1 works as expected and simple enough to give it RTBC. Thanks Boobaa!

jmiccolis’s picture

jmiccolis commented
Status: Reviewed & tested by the community » Fixed

Sorry it took so long to get to this! Committed!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

David Goode’s picture

David Goode commented
Status: Closed (fixed) » Reviewed & tested by the community
StatusFileSize
new casetracker-839926-8.patch1023 bytes

Don't check_plain text to be passed to l() because l() does that itself. Mangles & and " and so forth, which are allowed in project titles. New patch to current head, which includes the old one.

jmiccolis’s picture

jmiccolis commented
Status: Reviewed & tested by the community » Fixed

Thanks for the fix David, it's been commited.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.